chore(deps): update super-linter/super-linter action to v8 [security]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
super-linter/super-linter	action	major	v6.0.0 → v8.3.1

---

Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action

CVE-2026-25761 / GHSA-r79c-pqj3-577x

More information

Details

Summary

The Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions.

Details

The issue appears originates in the logic that scans the repository for changed files to check.

1. Use a workflow that runs Super-linter on pull_request events.
2. Open a pull request that adds a new file with a crafted filename containing command substitution and an outbound request that includes $GITHUB_TOKEN.
3. Run the workflow.

Impact

• Arbitrary command execution in the context of the workflow run that invokes Super-linter (triggered by attacker-controlled filenames in a PR).
• Credential exposure / misuse: the injected command can read environment variables available to the action, including GITHUB_TOKEN.

The level of exposure depends on the source of the pull request.

To actively exploit the vulnerability, an attacker needs have the ability to run workflows without any approval from the repository admin.

Also, the GITHUB_TOKEN needs to have unconstrained access to repository resources. Even in that case, for pull request coming from forked repositories, no secrets are passed to the forked repository when running workflows triggered by pull_request events, and the GITHUB_TOKEN drops and write permission on the source repository source.

Finally, although not specific to this vulnerability, we recommend auditing workflow_call and pull_request_target workflows because they can lead to compromise, regardless of whether you're using Super-linter, or not, as explained by this GitHub Enterprise doc.

Severity

• CVSS Score: 8.8 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

• https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x
• https://github.com/super-linter/super-linter/releases/tag/v8.3.1
• https://nvd.nist.gov/vuln/detail/CVE-2026-25761
• https://github.com/advisories/GHSA-r79c-pqj3-577x

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

super-linter/super-linter (super-linter/super-linter)

v8.3.1

Compare Source

🐛 Bugfixes

• docs: ansible-lints lints the entire dir (#​7272) (b721f3c), closes #​7263
• handle paths with parentheses (#​7273) (d29d0d4)
• rollback to python 3.13 (#​7269) (10265f1)
• trivial log message bug when file does not exist (#​7268) (c6a7b38)

⬆️ Dependency updates

• bundler: bump rubocop-rails in /dependencies in the rubocop group (#​7251) (d8a2032)
• java: bump com.google.googlejavaformat:google-java-format (#​7270) (140a2e3)
• java: bump com.puppycrawl.tools:checkstyle (#​7264) (550df3c)
• java: bump the java-gradle group across 3 directories with 3 updates (#​7252) (5306a0a)
• npm: bump @​modelcontextprotocol/sdk in /dependencies (#​7248) (4d59852)
• npm: bump express from 5.1.0 to 5.2.1 in /dependencies (#​7246) (50462d3)
• npm: bump jws from 4.0.0 to 4.0.1 in /dependencies (#​7260) (cc90344)
• npm: bump next from 16.0.7 to 16.0.9 in /dependencies (#​7277) (b7cedfb)
• npm: bump the npm group across 1 directory with 3 updates (#​7289) (f65215e)
• npm: bump the npm group across 1 directory with 5 updates (#​7271) (b4e616f)
• npm: bump the npm group across 1 directory with 7 updates (#​7259) (0ab9ad4)
• npm: bump the npm group across 1 directory with 8 updates (#​7266) (39e94f8)
• python: bump the pip group across 1 directory with 2 updates (#​7288) (4559b6e)
• python: bump the pip group across 1 directory with 7 updates (#​7265) (026d3fe)

🧰 Maintenance

• add prettier and htmlhint to the npm group (#​7257) (4692c1c)
• deps: update docker dependencies (#​7285) (f4d16d3), closes #​7244
• fix docs typos and update next (#​7284) (0df9f3c)
• update issue template and print graph (#​7276) (dfb728c)

v8.3.0

Compare Source

🚀 Features

• add ability to specify config files for nbqa tools (#​7184) (b37c1c3)
• lint dependabot, github actions with zizmor (#​7241) (09306cd), closes #​7137
• support rust 2024 (#​7211) (c15ee6d), closes #​7139

🐛 Bugfixes

• parse json to extract terraform version (#​7239) (29f1727)

⬆️ Dependency updates

• bundler: bump rubocop in /dependencies in the rubocop group (#​7188) (74b2444)
• bundler: bump rubocop-rails in /dependencies in the rubocop group (#​7231) (dd55c52)
• bundler: bump the rubocop group in /dependencies with 2 updates (#​7178) (3bdc919)
• bundler: bump the rubocop group in /dependencies with 4 updates (#​7202) (0e09528)
• docker: bump python in the docker-base-images group (#​7123) (41c3da1)
• docker: bump the docker group across 1 directory with 12 updates (#​7235) (b1cf27d)
• docker: bump the docker group across 1 directory with 6 updates (#​7148) (76149cf)
• docker: bump the docker group across 1 directory with 9 updates (#​7194) (45f731e)
• npm: bump @​babel/eslint-parser in /dependencies (#​7183) (197eb88)
• npm: bump @​typescript-eslint/eslint-plugin (#​7127) (2d57f06)
• npm: bump @​typescript-eslint/eslint-plugin (#​7196) (033ea99)
• npm: bump body-parser from 2.2.0 to 2.2.1 in /dependencies (#​7238) (30403f6)
• npm: bump eslint from 9.37.0 to 9.38.0 in /dependencies (#​7170) (b42af6f)
• npm: bump eslint from 9.38.0 to 9.39.0 in /dependencies (#​7191) (0cf22c8)
• npm: bump eslint from 9.39.0 to 9.39.1 in /dependencies (#​7197) (513ae8b)
• npm: bump eslint-plugin-react-hooks (#​7180) (61e4208)
• npm: bump js-yaml from 3.14.1 to 3.14.2 in /dependencies (#​7210) (29faa98)
• npm: bump npm-groovy-lint from 15.2.1 to 15.2.2 in /dependencies (#​7130) (4913825)
• npm: bump renovate from 41.142.0 to 41.146.5 in /dependencies (#​7134) (900b973)
• npm: bump renovate from 41.151.1 to 41.161.0 in /dependencies (#​7182) (1d8c2a2)
• npm: bump renovate from 41.161.0 to 42.4.0 in /dependencies (#​7198) (0a4ed30)
• npm: bump the eslint-plugins-configs group across 1 directory with 2 updates (#​7145) (c137ca9)
• npm: bump the npm group across 1 directory with 2 updates (#​7175) (f0b0ff5)
• npm: bump the npm group across 1 directory with 3 updates (#​7146) (