#5933 chore(deps): update debian:12.12-slim docker digest to 4d9b5b6 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ------------------ | | debian | stage | digest | 78d2f66 -> 4d9b5b6 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5934 fix: Use correct command name for ApprovePolicies Pull request opened by lukemassa ## what Change the command name for the project result of ApprovePolicies to the approve policies command. ## why The command being worked on is

ApprovePolicies

but we returning as if it ran the

PolicyCheck

command. As far as I can tell this bug has been present since this code was introduced: af2a806#diff-eb466bb07e603dbf2a2a91c776b4d812bf330b3dc02fcaf762380b0078296937R174 I frankly don't quite understand what this does, but if you look at the rest of the doXYZ in plan_command_runner, they follow a particular pattern of referring to commands, and this one simply seems to have been typod. ## tests N/A ## references N/A runatlantis/atlantis

#5935 feat: Add the command name to show who is holding dir lock Pull request opened by lukemassa ## what Add information into the TryLock error message that shows what command is trying to grab the lock, and which has it currently. ## why This will aid in debugging, and also moves us towards a locking strategy that is less "working directory" focused and more "command" focused. ## tests I ran atlantis plan twice one after the other and watched it fail [Screenshot 2025-11-03 at 11 59 55 PM](https://private-user-images.githubusercontent.com/2678195/509324224-ef714e1f-f1f4-42bc-a42a-6677616bfa76.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjI4MjgzMTMsIm5iZiI6MTc2MjgyODAxMywicGF0aCI6Ii8yNjc4MTk1LzUwOTMyNDIyNC1lZjcxNGUxZi1mMWY0LTQyYmMtYTQyYS02Njc3NjE2YmZhNzYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTFUMDIyNjUzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9ZDhjNDk4ZDBjMzBlYzFmYTdlYWM2YzZjN2E4ZDczN2E2ZWY0YTM1NTQwN2VhYmQ1MzM5NTRkZmI0MWJhNjk4NCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.eiMAjIOW3cpJj466-83L4VMew_Iti5172WeXCwDZk_c) I also ran atlantis plan then pushed a commit and watched it fail on the autoplan [Screenshot 2025-11-04 at 12 09 24 AM](https://private-user-images.githubusercontent.com/2678195/509327935-b51e9fc6-51c7-41a6-850b-a6c4433504b2.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjI4MjgzMTMsIm5iZiI6MTc2MjgyODAxMywicGF0aCI6Ii8yNjc4MTk1LzUwOTMyNzkzNS1iNTFlOWZjNi01MWM3LTQxYTYtODUwYi1hNmM0NDMzNTA0YjIucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExMSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTFUMDIyNjUzWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9YzdkZWQyZWVkZTY0MGZjN2M2NmMzYjhjZTUzMjIxYTMwYmYzYjlhNzc3ODEyMjViY2RiODZkOTdhODNjZTJkOCZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.paS74CTIUtCie_XFd1Vvv2nW3Z0oPFDdTIlrhAtwfCE) It's worth noting that the code didn't actually know it was running an "autoplan" instead of just a "plan", this is actually a bug that this new logging has demonstrated that I plan to dig into after. ## references N/A runatlantis/atlantis

#4709 Allow for plans to be partially successful Pull request opened by shkamensky When automerge is true, if any plan fails, all plans get deleted This is true even when running from a github comment. When dealing with many projects, there is a high likelihood that one plan can fail. This allows us to keep apply some plans and reiterate so we don't lose all progress. ## what Allow for plans to be saved when automerge is true by passing a flag. ## why Because the all-or-nothing nature of saving plans can make it very difficult to apply across many projects. For example, if 1 failed because of a DNS issue and 150 others plans succeeded, we want to apply the plans that succeeded and deal with the 1 plan manually. ## tests ## references #3002 runatlantis/atlantis

#5936 chore(deps): update debian:12.12-slim docker digest to 936abff in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ------- | ----- | ------ | ------------------ | | debian | stage | digest | 4d9b5b6 -> 936abff | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5392 feat: allowing JobUrl to the PlanSuccess model for github comment templating Pull request opened by cpaloia ## What This PR adds support for including the job URL in the GitHub comment template by adding the property

JobURL

to the

PlanSuccess

model. This PR also renames the

LockURLGenerator

to

URLGenerator

as it will be used for generating more than just the lock url. Currently the code already uses the router to fulfill this interface, so I have added the function

GenerateProjectJobURL

which it gets from the router. ## Why In certain cases, it's necessary to hide Terraform plan output in GitHub comments—such as in public repositories where the output may contain sensitive information. However, users may still need access to the plan details via a secure URL, such as one behind a firewall or ingress. By including the job URL in the GitHub comment template (in addition to the existing GitHub check link), we provide users with clear guidance on why the output is hidden and where they can access it instead. ## Tests Tested locally by overriding the comment template and verifying the job URL was correctly included. ## References • Atlantis Issue #5391 ## Notes • I encountered issues running

pegomock

unless I downgraded Go to 1.23.0 in

go.mod

. • Currently, the job URL is added only to *plan success*—I considered adding it to

PolicyCheckResults

, but I’m unsure whether those results are accessible via a URL. Would appreciate any feedback on this! runatlantis/atlantis

#5937 chore(deps): update docker/metadata-action digest to 318604b in .github/workflows/atlantis-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ---------------------------------------------------------------------------- | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [docker/metadata-action](https://redirect.github.com/docker/metadata-action) | action | digest | c1e5197 -> 318604b | [[OpenSSF Scorecard](https://camo.githubusercontent.com/4ac0e476ad44ae944f7d9b7ab42df2dd360d323488952230c5d616ba959ab12e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f646f636b65722f6d657461646174612d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/docker/metadata-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5939 chore(deps): update docker/setup-qemu-action digest to c7c5346 in .github/workflows/testing-env-image.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------- | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [docker/setup-qemu-action](https://redirect.github.com/docker/setup-qemu-action) | action | digest | 2910929 -> c7c5346 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e5eb885f2d90f74196e7410a1fe5310ae059e266cdc1336bce526f6bd64b9c82/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f646f636b65722f73657475702d71656d752d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/docker/setup-qemu-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5940 feat: add bitbucket cloud api-user flag Pull request opened by jeronimo-caylent ## what • Adds bitbucket-api-user flag for the Bitbucket Cloud client, keeping bitbucket-user just for git operations. By default and for backward compatibility, if not bitbucket-api-user is provided, it uses the bitbucket-user flag. ## why Bitbucket Cloud deprecated App Password authentication, which previously supported the same user for both API calls and Git operations. See #5696 ## tests With the new flag:

./atlantis server --bitbucket-user '<user>' --bitbucket-api-user '<user@example.com>' --bitbucket-token '<token>' --repo-allowlist '*' --log-level info

{"level":"info","ts":"2025-11-07T10:54:04.448-0300","caller":"server/server.go:343","msg":"Supported VCS Hosts: BitbucketCloud","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.814-0300","caller":"server/server.go:504","msg":"Utilizing BoltDB","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"policy/conftest_client.go:168","msg":"failed to get default conftest version. Will attempt request scoped lazy loads DEFAULT_CONFTEST_VERSION not set","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"server/server.go:1114","msg":"Atlantis started - listening on port 4141","json":{}} {"level":"info","ts":"2025-11-07T10:54:04.827-0300","caller":"scheduled/executor_service.go:51","msg":"Scheduled Executor Service started","json":{}}

Without the flag:

./atlantis server --bitbucket-user '<user>' --bitbucket-token '<token>' --repo-allowlist '*' --log-level info

{"level":"info","ts":"2025-11-07T10:54:19.114-0300","caller":"server/server.go:343","msg":"Supported VCS Hosts: BitbucketCloud","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.341-0300","caller":"server/server.go:504","msg":"Utilizing BoltDB","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.350-0300","caller":"policy/conftest_client.go:168","msg":"failed to get default conftest version. Will attempt request scoped lazy loads DEFAULT_CONFTEST_VERSION not set","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.352-0300","caller":"server/server.go:1114","msg":"Atlantis started - listening on port 4141","json":{}} {"level":"info","ts":"2025-11-07T10:54:19.352-0300","caller":"scheduled/executor_service.go:51","msg":"Scheduled Executor Service started","json":{}}

## references • closes #5696 runatlantis/atlantis

#5941 chore(deps): update redis:7.4-alpine docker digest to ee64a64 in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ------- | ------ | ------------------ | | redis | digest | 3b73847 -> ee64a64 | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5942 chore(deps): update step-security/harden-runner digest to 95d9a5d in .github/workflows/scorecard.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | -------------------------------------------------------------------------------------- | ------ | ------ | ------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [step-security/harden-runner](https://redirect.github.com/step-security/harden-runner) | action | digest | f4a75cf -> 95d9a5d | [[OpenSSF Scorecard](https://camo.githubusercontent.com/79b73feee658f578ed164ed10d5294cc2e58c70ec1db9ee00d03c41311bccebc/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f737465702d73656375726974792f68617264656e2d72756e6e65722f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/step-security/harden-runner) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5943 chore(deps): update go to v1.25.4 in go.mod (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ----------------------------------------------------------------------- | ------ | ------ | ------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [go](https://go.dev/) ([source](https://redirect.github.com/golang/go)) | golang | patch | 1.25.3 -> 1.25.4 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/c969aea50aa6c73e27384d8508b5fc8f9d31bd400c588089a1c7a7cdbb51ec23/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f676f6c616e672f676f2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/golang/go) | | golang | stage | patch | 1.25.3-alpine -> 1.25.4-alpine | | --- ### Release Notes golang/go (go) ### `v1.25.4` --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about these updates again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5921 fix: Separate user and email for bitbucket Pull request opened by lukemassa on <!date^1761880177^{date_short}|2025-10-31T03:09:37Z> ## what Separates out

email

from

user

for bitbucket. ## why My understanding of #5696 is that there has to be a separate "username" from "email" address in the new bitbucket authentication scheme, so I added a flag to tease that out:

atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi'                            
Error: --bitbucket-email must be specified alongside --bitbucket-user
exit status 1
atlantis % go run main.go server --bitbucket-user foo --bitbucket-token bar --repo-allowlist='hi' --bitbucket-email=foo@bar
{"level":"info","ts":"2025-10-30T23:06:24.009-0400","caller":"server/server.go:345","msg":"Supported VCS Hosts: BitbucketCloud","json":{}}

DISCLAIMER: I've never used bitbucket before, and am just going off the description of a problem in #5696 to try to help out. ## tests TODO: add tests Also need to update documentation ## references closes: #5696 runatlantis/atlantis

#5945 chore(deps): update dependency hashicorp/terraform to v1.13.5 in testdrive/utils.go (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ---------------------------------------------------------------------- | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [hashicorp/terraform](https://redirect.github.com/hashicorp/terraform) | patch | 1.13.4 -> 1.13.5 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/73fb079834f95fc441f42b004291acd78181a0da3cd6cfe7a912d424cbb46a81/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6861736869636f72702f7465727261666f726d2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/hashicorp/terraform) | --- ### Release Notes hashicorp/terraform (hashicorp/terraform) ### `v1.13.5` Compare Source ##### 1.13.5 (November 5, 2025) BUG FIXES: • impure functions could cause templatefile to incorrectly fail consistency checks (#​37807) • Allow filesystem functions to return inconsistent results when evaluated within provider configuration (#​37854) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5946 docs: Consolidate release documentation Pull request opened by lukemassa ## what Move release documentation out of CONTRIBUTING.md and RELEASE_CADENCE.md into a single RELEASE.md file. ## why Release information isn't relevant to contributing, and was cluttering up that document. Instead of creating another file, I thought it made sense to reuse RELEASE_CADENCE.md (which is a bit specific for a top-level file) to create RELEASE.md. ## tests N/A ## references Come up during discussion in #5890 runatlantis/atlantis

#5951 chore(deps): update ghcr.io/runatlantis/atlantis:latest docker digest to 26043ad in dockerfile.dev (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | | ---------------------------- | ----- | ------ | ------------------ | | ghcr.io/runatlantis/atlantis | final | digest | c1e648a -> 26043ad | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5953 chore(deps): update github/codeql-action digest to f94c9be in .github/workflows/codeql.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------ | ------ | ------ | ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [github/codeql-action](https://redirect.github.com/github/codeql-action) | action | digest | 5d5cd55 -> f94c9be | [[OpenSSF Scorecard](https://camo.githubusercontent.com/7297a8020f03fec30e06910592fd5839c6c112499f8c35234823a18eee5374c0/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6769746875622f636f6465716c2d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/github/codeql-action) | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5954 feat: implement --ignore-vcs-status-names for GitLab Pull request opened by jklong ## what Implement the

--ignore-vcs-status-names

flag for the GitLab provider. Similar to #4978, this consults an ignore list when for commit status names when determining mergeability. If a commit status name can be parsed as

{vcsstatusname}/...

and that parsed

vcsstatusname

is present in the configured ignore list then it is skipped. ## why Similar reasoning as expressed in #2848 for the existing GitHub-only feature - when multiple atlantis servers with different

vcs-status-names

operate on a single repo with a

mergeable

requirement they see pending pipeline statuses set by the other atlantis instances and report that the MR is not mergeable. ## tests • I have tested my changes by adding unit test coverage.

go test ./server/events/vcs

passes, however an existing, unrelated, test failure at main/HEAD causes

make test

to fail. ## references #2848 #4978 runatlantis/atlantis

#5955 fix: Assume divergence until established otherwise Pull request opened by aggrand ## what This modifies the divergence checking behavior to assume divergence unless proven otherwise. On any errors it will say that there is a divergence. ## why The documentation on the merge checkout strategy describe the issue where a failure to use the updated main branch can delete resources that are configured on the main branch. Depending on the resource in question, this could be an unforseeable change that could have disastrous consequences. The existing behavior seemed to assume safety unless proven unsafe. It would be incredibly bad for a series of poorly-timed transient network failures on fetches to result in an apply that destroys resources. Our usage prioritizes safety and we would prefer that the plan/apply bail if it cannot establish safety. I realize that this is an opinionated change, but I suspect that most people who go out of their way to enable the merge strategy and undiverged requirement are expecting to make their processes as safe as possible. I was surprised by the behavior. If preferred, I could also lock this behavior behind an option. I'm not sure to what extent this would be a breaking change. ## tests ## references runatlantis/atlantis

#5956 chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.41.0 -> v0.43.0 | [[age](https://camo.githubusercontent.com/968b4219282ea7ff526a529bc8701c10028482487c415936df84a36a331d4808/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/d3ef03ec944f66413122c73379998b68f0b36842af6f834a784a5e89c565a670/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34312e302f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5958 chore(deps): update ngrok/ngrok:latest docker digest to 168300d in docker-compose.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | | ----------- | ------ | ------------------ | | ngrok/ngrok | digest | 50234a7 -> 168300d | --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5959 build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 Pull request opened by dependabot[bot] Bumps js-yaml from 4.1.0 to 4.1.1. Changelog Sourced from js-yaml's changelog.

## [4.1.1] - 2025-11-12

### Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits • `cc482e7` 4.1.1 released • `50968b8` dist rebuild • `d092d86` lint fix • `383665f` fix prototype pollution in merge (<<) • `0d3ca7a` README.md: HTTP => HTTPS (#678) • `49baadd` doc: 'empty' style option for !!null • `ba3460e` Fix demo link (#618) • See full diff in compare view [Dependabot compatibility score](https://camo.githubusercontent.com/a6652d69213ed732db1d83bf133f0c8e6c472c25719efc164c44882409ccb891/68747470733a2f2f646570656e6461626f742d6261646765732e6769746875626170702e636f6d2f6261646765732f636f6d7061746962696c6974795f73636f72653f646570656e64656e63792d6e616d653d6a732d79616d6c267061636b6167652d6d616e616765723d6e706d5f616e645f7961726e2670726576696f75732d76657273696f6e3d342e312e30266e65772d76657273696f6e3d342e312e31) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting

@dependabot rebase

. --- Dependabot commands and options You can trigger Dependabot actions by commenting on this PR: •

@dependabot rebase

will rebase this PR •

@dependabot recreate

will recreate this PR, overwriting any edits that have been made to it •

@dependabot merge

will merge this PR after your CI passes on it •

@dependabot squash and merge

will squash and merge this PR after your CI passes on it •

@dependabot cancel merge

will cancel a previously requested merge and block automerging •

@dependabot reopen

will reopen this PR if it is closed •

@dependabot close

will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually •

@dependabot show <dependency name> ignore conditions

will show all of the ignore conditions of the specified dependency •

@dependabot ignore this major version

will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this minor version

will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) •

@dependabot ignore this dependency

will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the Security Alerts page. runatlantis/atlantis

#5960 chore: Improve working dir lock error output Pull request opened by lukemassa ## what Improve the output when hitting a working dir lock. ## why I changed the output command #5935, and messed up the punctuation so there was no space between

"

and the next word. Additionally the wording was a bit confusing and long, this cleans it up a bit. ## tests Before: [Screenshot 2025-11-15 at 1 07 45 PM](https://private-user-images.githubusercontent.com/2678195/514791745-df7b7c14-c9d1-48c1-bf19-26c9b36ca2ff.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjMyMzA2OTAsIm5iZiI6MTc2MzIzMDM5MCwicGF0aCI6Ii8yNjc4MTk1LzUxNDc5MTc0NS1kZjdiN2MxNC1jOWQxLTQ4YzEtYmYxOS0yNmM5YjM2Y2EyZmYucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTVUMTgxMzEwWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9Mzk3NjJlNTgzYWU0Zjc0ZGQ2YTljNzMzNGI5YWNhYWM1N2QzYWY5YmUxYzM4YTZjY2JlNzNhMmM3YTg1OTJkMyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.EJWkZMOFxcVShIUgAPUyNPUbLGdxFM9DJ3QaPJfQRzQ) After: [Screenshot 2025-11-15 at 1 05 56 PM](https://private-user-images.githubusercontent.com/2678195/514791793-2c8c0607-874f-475f-8614-59b764c4dc60.png?jwt=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NjMyMzA2OTAsIm5iZiI6MTc2MzIzMDM5MCwicGF0aCI6Ii8yNjc4MTk1LzUxNDc5MTc5My0yYzhjMDYwNy04NzRmLTQ3NWYtODYxNC01OWI3NjRjNGRjNjAucG5nP1gtQW16LUFsZ29yaXRobT1BV1M0LUhNQUMtU0hBMjU2JlgtQW16LUNyZWRlbnRpYWw9QUtJQVZDT0RZTFNBNTNQUUs0WkElMkYyMDI1MTExNSUyRnVzLWVhc3QtMSUyRnMzJTJGYXdzNF9yZXF1ZXN0JlgtQW16LURhdGU9MjAyNTExMTVUMTgxMzEwWiZYLUFtei1FeHBpcmVzPTMwMCZYLUFtei1TaWduYXR1cmU9Y2RlYWNmOWZhZWUzNWE1YTdiYTljYjNkYTdhM2Y0MDM0MDM2NDI0ZTQxM2E4MWJkMjEzMjU3MTM3ZTk1NWVkYyZYLUFtei1TaWduZWRIZWFkZXJzPWhvc3QifQ.QXn4h28m9twNkrlSlIB33lNVnu_EDkEXLwPJ8fCkiu8) ## references Follow up to #5935 runatlantis/atlantis

#5961 chore(deps): update actions/dependency-review-action action to v4.8.2 in .github/workflows/dependency-review.yml (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------ | ------ | ------ | ---------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [actions/dependency-review-action](https://redirect.github.com/actions/dependency-review-action) | action | patch | v4.8.1 -> v4.8.2 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/f08e2cc90ead44c61edd13db37577e03914f599b13f02c6706b1f2fdbffe792e/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f616374696f6e732f646570656e64656e63792d7265766965772d616374696f6e2f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/actions/dependency-review-action) | --- ### Release Notes actions/dependency-review-action (actions/dependency-review-action) ### `v4.8.2` Compare Source Minor fixes: • Fix PURL parsing for scoped packages (#​1008 from @​danielhardej) • Fix for large summaries (#​1007 from @​gitulisca) • README includes a working example for allow-dependencies-licenses (#​1009 from @​danielhardej) --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5963 chore: Remove invalid policy owner tests from command_runner_test Pull request opened by lukemassa ## what Remove two tests from command_runner_test that check to make sure policy approver is the policy set owner. ## why This logic (and associated tests) was moved to the project command runner: #3086, command_runner no longer has a notion of owner of a policy config. The reason these tests have continued to pass is somewhat subtle. For

TestApprovedPoliciesUpdateFailedPolicyStatus

, the issue was that it was checking to make sure the policy passed, which, after the logic was moved, it always would, regardless of what user was specified.

atlantis % git diff                                                                 
diff --git a/server/events/command_runner_test.go b/server/events/command_runner_test.go
index 84da1ffc..fabfe84d 100644
--- a/server/events/command_runner_test.go
+++ b/server/events/command_runner_test.go
@@ -1148,7 +1148,7 @@ func TestApprovedPoliciesUpdateFailedPolicyStatus(t *testing.T) {
                        CommandName: command.ApprovePolicies,
                        PolicySets: valid.PolicySets{
                                Owners: valid.PolicyOwners{
-                                       Users: []string{testdata.User.Username},
+                                       Users: []string{"some different name that shouldn't work"},
                                },
                        },
                },
atlantis % go test ./server/events -run TestApprovedPoliciesUpdateFailedPolicyStatus
ok  	<http://github.com/runatlantis/atlantis/server/events|github.com/runatlantis/atlantis/server/events>	0.412s

So the question is, why was

TestFailedApprovalCreatesFailedStatusUpdate

passing? It was checking to make sure that the command failed, so it should have failed immediately once the policy check was removed. The issue is that this test had a bug: it never specified a return value for ApprovePolicies, so got the "default" value of a ProjectResult. Part of the determination of whether pullStatus is "success" is the command name, and since ProjectResult contains command name, it got the "default" command name, which is Apply. This is why I noticed it, because I am trying to remove command name from ProjectResult to prevent exactly this kind of bug (#5962). ``` atlantis % git diff diff --git a/server/events/command_runner_test.go b/server/events/command_runner_test.go index 84da1ffc..f7dc2c74 100644 --- a/server/events/command_runner_test.go +++ b/server/events/command_runner_test.go @@ -1104,6 +1104,14 @@ func TestFailedApprovalCreatesFailedStatusUpdate(t *testing.T) { }, nil) When(workingDir.GetPullDir(testdata.GithubRepo, testdata.Pull)).ThenReturn(tmp, nil) + When(projectCommandRunner.ApprovePolicies(Any[command.ProjectContext]())).Then(func(_ []Param) ReturnValues { + return ReturnValues{ + command.ProjectResult{ + Command: command.PolicyCheck, + PolicyCheckResults: &models.PolicyCheckResults{}, + }, + } + }) ch.RunCommentCommand(testdata.GithubRepo, &testdata.GithubRepo, &testdata.Pull, testdata.User, testdata.Pull.Num, &events.CommentCommand{Name: command.ApprovePolicies}) commitUpdater.VerifyWasCalledOnce().UpdateCombinedCount( atlantis % go test ./server/events -run TestFailedApprovalCreatesFailedStatusUpdate --- FAIL: TestFailedApprovalCreatesFailedStatusUpdate (0.04s) command_runner_test.go1072 if "atlantis approve_policies" is run by non policy owner policy check status fails. logger.go146 2025-11-16T005645.134-0500 DEBUG updating DB with pull results {"repo": "runatlantis/atlantis", "pull": "1"} logger.go146 2025-11-16T005645.142-0500 DEBUG timer {"name": "atlantis_comment_approve_policies_execution_time", "value": "8.708583ms", "tags": {}, "type": "timer"} testing_t_support.go41 /Users/lmassa/go/pkg/mod/github.com/petergtz/pegomock/v4@v4.2.0/testing_t_support.go:40 +0x48 github.com/petergtz/pegomock/v4.(*GenericMock).Verify(0x1400007e198, 0x0, {0x101d6d7e0, 0x1400001ebd0}, {0x101858735, 0x13}, {0x14000294cb0, 0x7, 0x7}, {0x140005c3048?, ...}) /Users/lmassa/go/pkg/mod/github.com/petergtz/pegomock/v4@v4.2.0/dsl.go:153 +0x520 github.com/runatlantis/atlantis/server/events/mocks.(*VerifierMockCommitStatusUpdater).UpdateCombinedCount(0x140005c3880, {_, }, {{, }, {, }, {, }, {, ...}, ...}, ...) /Users/lmassa/atlantis/server/events/mocks/mock_commit_status_updater.go:182 +0x23c github.com/runatlantis/atlantis/server/events_test.TestFailedApprovalCreatesFailedStatusUpdate(0x14000092e00) /Users/lmassa/atlantis/server/events/command_runner_test.go:1117 +0x12e8 testing.tRunner(0x14000092e00, 0x101d5c220) /Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.darwin-arm64/src/testing/testing.go:1934 +0xc8 created by testing.(*T).Run in goroutine 1 /Users/lmassa/go/pkg/mod/golang.org/toolchain@v0.0.1-go1.25.4.darwin-arm64/src/testing/testing.go:1997 +0x364 Mock invocation count for UpdateCombinedCount(Any(logging.SimpleLogging), Any(models.Repo), Any(models.PullRequest), Eq(1), Eq(3), Eq(0), Eq(2)) does not match expectation. Expected: 1; but got: 0 Actual interactions with this mock were: UpdateCombined(&logging.StructuredLogger{z:(*zap.SugaredLogger)(0x14000014078), levelzap.AtomicLevel{l(*atomic.Int32)(0x140000ab040)}, keepHistory:true, historybytes.Buffer{buf[]uint8{0x5b, 0x44, 0x42, 0x55, 0x47, 0x5d, 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x44, 0x42, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x70, 0x75, 0x6c, 0x6c, 0x20, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0xa}, off:0, lastRead:0}}, models.Repo{FullName:"runatlantis/atlantis", Owner:"runatlantis", Name:"atlantis", CloneURL:"https://user:password@github.com/runatlantis/atlantis.git", SanitizedCloneURL:"https://github.com/runatlantis/atlantis.git", VCSHostmodels.VCSHost{Hostname"github.com", Type:0}}, models.PullRequest{Num:1, HeadCommit:"", URL:"", HeadBranch:"", BaseBranch:"", Author:"", State:0, BaseRepomodels.Repo{FullName"runatlantis/atlantis", Owner:"runatlantis", Name:"atlantis", CloneURL:"https://user:password@github.com/runatlantis/atlantis.git", SanitizedCloneURL:"https://github.com/runatlantis/atlantis.git", VCSHostmodels.VCSHost{Hostname"github.com", Type:0}}}, 0, 3) UpdateCombinedCount(&logging.StructuredLogger{z:(*zap.SugaredLogger)(0x14000014078), levelzap.AtomicLevel{l(*atomic.Int32)(0x140000ab040)}, keepHistory:true, historybytes.Buffer{buf[]uint8{0x5b, 0x44, 0x42, 0x55, 0x47, 0x5d, 0x20, 0x75, 0x70, 0x64, 0x61, 0x74, 0x69, 0x6e, 0x67, 0x20, 0x44, 0x42, 0x20, 0x77, 0x69, 0x74, 0x68, 0x20, 0x70, 0x75, 0x6c, 0x6c, 0x20, 0x72, 0x65, 0x73, 0x75, 0x6c, 0x74, 0x73, 0xa}, off:0, lastRead:0}}, models.Repo{FullName:"runatlantis/atlantis", Owner:"runatlantis", Name:"atlantis", CloneURL:"https://user:password@github.com/runatlantis/atlantis.git", SanitizedCloneURL:"https://github.com/runatlantis/atlantis.git", VCSHostmodels.VCSHost{Hostname"github.com", Type:0}}, models.PullRequest{Num:1, HeadCommit:"", URL:"", HeadBranch:"", BaseBranch:"", Author:"", State:0, BaseRepomodels.Repo{FullName"runatlantis/atlantis", Owner:"runatlan… runatlantis/atlantis

#5965 chore(deps): update dependency opentofu/opentofu to v1.10.7 in dockerfile (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Update | Change | OpenSSF | | ------------------------------------------------------------------ | ------ | ---------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [opentofu/opentofu](https://redirect.github.com/opentofu/opentofu) | patch | 1.10.6 -> 1.10.7 | [[OpenSSF Scorecard](https://camo.githubusercontent.com/ce717ba2c81ac0c4d405947613d026de7d49e9f59f60457ed964da33f31eb3b4/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f6f70656e746f66752f6f70656e746f66752f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/opentofu/opentofu) | --- ### Release Notes opentofu/opentofu (opentofu/opentofu) ### `v1.10.7` Compare Source SECURITY ADVISORIES: This release contains fixes for some security advisories related to previous releases in this series. •

tofu init

in OpenTofu v1.10.6 and earlier could potentially use unbounded memory if there is a direct or indirect dependency on a maliciously-crafted module package distributed as a "tar" archive. This would require the attacker to coerce a root module author to depend (directly or indirectly) on a module package they control, using the HTTP, Amazon S3, or Google Cloud Storage source types to refer to a tar archive. This release incorporates the upstream fixes for CVE-2025-58183. • When making requests to HTTPS servers, OpenTofu v1.10.6 and earlier could potentially use unbounded memory or crash with a "panic" error if TLS verification involves an excessively-long certificate chain or a chain including DSA public keys. This affected all outgoing HTTPS requests made by OpenTofu itself, including requests to HTTPS-based state storage backends, module registries, and provider registries. For example, an attacker could coerce a root module author to depend (directly or indirectly) on a module they control which then refers to a module or provider from an attacker-controlled registry. That mode of attack would cause failures in

tofu init

, at module or provider installation time. Provider plugins contain their own HTTPS client code, which may have similar problems. OpenTofu v1.10.7 cannot address similar problems within provider plugins, and so we recommend checking for similar advisories and fixes in the provider plugins you use. This release incorporates upstream fixes for CVE-2025-58185, CVE-2025-58187, and CVE-2025-58188. BUG FIXES: • Fix crash in tofu test when using deprecated outputs (#​3249) • Fix missing provider functions when parentheses are used (#​3402) •

for_each

inside

dynamic

blocks can now call provider-defined functions. (#​3429) Full Changelog: opentofu/opentofu@v1.10.6...v1.10.7 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5966 chore(deps): update dependency vue to v3.5.24 in package.json (main) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Type | Update | Change | OpenSSF | | ------------------------------------------------------------------------------------------------------------------------------ | --------------- | ------ | ----------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [vue](https://redirect.github.com/vuejs/core/tree/main/packages/vue#readme) ([source](https://redirect.github.com/vuejs/core)) | devDependencies | patch | [3.5.22 -> 3.5.24](https://renovatebot.com/diffs/npm/vue/3.5.22/3.5.24) | [[OpenSSF Scorecard](https://camo.githubusercontent.com/e1691da63d6ce4d0e287d7d5cd665594be0b5c9101500763a51a848101abc0ce/68747470733a2f2f6170692e736563757269747973636f726563617264732e6465762f70726f6a656374732f6769746875622e636f6d2f7675656a732f636f72652f6261646765)](https://securityscorecards.dev/viewer/?uri=github.com/vuejs/core) | --- ### Release Notes vuejs/core (vue) ### `v3.5.24` Compare Source ##### Reverts • Revert "fix(compiler-core): correctly handle ts type assertions in expression…" (#​14062) (11ec51a), closes #​14062 #​14060 ### `v3.5.23` Compare Source ##### Bug Fixes • compiler-core: correctly handle ts type assertions in expressions (#​13397) (e6544ac), closes #​13395 • compiler-core: fix v-bind shorthand handling for in-DOM templates (#​13933) (b3cca26), closes #​13930 • compiler-sfc: resolve numeric literals and template literals without expressions as static property key (#​13998) (75d44c7) • compiler-ssr: textarea with v-text directive SSR (#​13975) (006a0c1) • compiler: using guard instead of non-nullish assertion (#​13982) (dcc6f36) • custom-element: batch custom element prop patching (#​13478) (c13e674), closes #​12619 • custom-element: optimize slot retrieval to avoid duplicates (#​13961) (84ca349), closes #​13955 • hydration: avoid mismatch during hydrate text with newlines in interpolation (#​9232) (6cbdf78), closes #​9229 • runtime-core: pass props and children to loadingComponent (#​13997) (40c4b2a) • runtime-dom: ensure iframe sandbox is handled as an attribute to prevent unintended behavior (#​13950) (5689884), closes #​13946 • suspense: clear placeholder and fallback el after resolve to enable GC (#​13928) (f411c66) • transition-group: use offsetLeft and offsetTop instead of getBoundingClientRect to avoid transform scale affect animation (#​6108) (dc4dd59), closes #​6105 • v-model: handle number modifier on change (#​13959) (8fbe48f), closes #​13958 --- ### Configuration 📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5968 chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (release-0.34) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.36.0 -> v0.43.0 | [[age](https://camo.githubusercontent.com/968b4219282ea7ff526a529bc8701c10028482487c415936df84a36a331d4808/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/7c17d503673b55b68da3a974039d056480f4d92de61961861db2cfbe0242c1d1/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5969 chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (release-0.35) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.36.0 -> v0.43.0 | [[age](https://camo.githubusercontent.com/968b4219282ea7ff526a529bc8701c10028482487c415936df84a36a331d4808/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/7c17d503673b55b68da3a974039d056480f4d92de61961861db2cfbe0242c1d1/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e33362e302f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis

#5970 chore(deps): update module golang.org/x/crypto to v0.43.0 [security] (release-0.36) Pull request opened by renovate[bot] This PR contains the following updates: | Package | Change | Age | Confidence | | ------------------- | ------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | golang.org/x/crypto | v0.41.0 -> v0.43.0 | [[age](https://camo.githubusercontent.com/968b4219282ea7ff526a529bc8701c10028482487c415936df84a36a331d4808/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f6167652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | [[confidence](https://camo.githubusercontent.com/d3ef03ec944f66413122c73379998b68f0b36842af6f834a784a5e89c565a670/68747470733a2f2f646576656c6f7065722e6d656e642e696f2f6170692f6d632f6261646765732f636f6e666964656e63652f676f2f676f6c616e672e6f72672532667825326663727970746f2f76302e34312e302f76302e34332e303f736c696d3d74727565)](https://docs.renovatebot.com/merge-confidence/) | --- ### Potential denial of service in golang.org/x/crypto/ssh/agent CVE-2025-47913 / GO-2025-4116 More information #### Details SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process. #### Severity Unknown #### References • https://go.dev/cl/700295 • https://go.dev/issue/75178 • https://github.com/advisories/GHSA-hcg3-q754-cr77 This data is provided by OSV and the Go Vulnerability Database (CC-BY 4.0). --- ### Configuration 📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 Automerge: Enabled. ♻️ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 Ignore: Close this PR and you won't be reminded about this update again. --- • If you want to rebase/retry this PR, check this box --- This PR was generated by Mend Renovate. View the repository job log. runatlantis/atlantis