chore(deps): update dependency mega-linter-runner to v9.5.0

[elastic-renovate-prod]

This PR contains the following updates:

Package	Type	Update	Change
mega-linter-runner	devDependencies	minor	9.4.0 -> 9.5.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

oxsecurity/megalinter (mega-linter-runner)

v9.5.0

Compare Source

Take 2 mn to read MegaLinter v9.5.0 announcements

• Breaking changes

  • Docker images published only to GitHub Container Registry (ghcr.io) until OIDC-based publishing to Docker Hub is implemented. The Docker Hub registry (docker.io/oxsecurity/megalinter) is frozen at v9.4.0: pulls of oxsecurity/megalinter:v9 (or :beta, or any flavor tag) will keep returning v9.4.0. To get v9.5.0 and later from CI tools other than GitHub Actions (GitLab CI, Azure Pipelines, Bitbucket, Jenkins, Drone, raw docker run, …), switch your image references:

    • oxsecurity/megalinter:v9 → ghcr.io/oxsecurity/megalinter:v9
    • oxsecurity/megalinter:beta → ghcr.io/oxsecurity/megalinter:beta
    • oxsecurity/megalinter-<flavor>:v9 → ghcr.io/oxsecurity/megalinter-<flavor>:v9

    GitHub Action users (uses: oxsecurity/megalinter@v9) and mega-linter-runner users are not affected, as both already pull from ghcr.io.

  • ESLint-based linters upgraded to v10+. Legacy .eslintrc.* configs are no longer supported: you must migrate to flat-config (eslint.config.js) to keep using JAVASCRIPT_ES, TYPESCRIPT_ES, JSX_ESLINT, TSX_ESLINT, and JSON_ESLINT_PLUGIN_JSONC.

  • Airbnb and Standard ESLint configs replaced (they never shipped ESLint 9+ support):

    • extends: ["airbnb"] → extends: ["airbnb-extended"]
    • extends: ["standard"] → extends: ["neostandard"]

• Core

  • User notifications system: linters can surface structured "Notices" to end users in the PR comment / report footer (used for ESLint migration, deprecated options, etc.), replaces the ad-hoc migration warnings
  • Security: more default hidden environment variables, so a compromised linter cannot leak your secrets
  • Upgrade .NET runtime to 10.0 (csharpier, dotnet-format, roslynator, devskim, tsqllint, vbdotnet-format)
  • Upgrade GO runtime to 1.26.3

• New linters

  • osv-scanner: trivy-like vulnerability scanner by Google
  • zizmor: GitHub Actions static analysis

• Disabled linters

  • KICS (until upstream security issue is fixed)
  • Spectral (crashing)

• Re-enabled linters

  • Trivy (v0.70.0): the supply chain security incident is resolved

• Deprecated linters

• Removed linters

• Media

• Linters enhancements

  • ESLint: legacy .eslintrc.* configs are now detected and a migration notice is emitted in the report so users know they need to switch to flat-config
  • shellcheck: honour the BASH_SHELLCHECK_CONFIG_FILE variable / .shellcheckrc config file
  • raku (Rakudo): now ships on ARM64 too
  • scala: linter installation is now deterministic (same binary across rebuilds)
  • v8r (JSON/YAML schema validation): output now shows only validation errors (no more "no schema found" or success noise)
  • lychee: removed the deprecated exclude_mail option (no longer supported by lychee upstream)
  • Faster image pulls: several linters (Lua/StyLua arm64, clj-kondo, kubescape, ls-lint, dotenv-linter) now use pre-built Alpine binaries instead of compiling from source

• Fixes

  • Console output: linters now show their log sections (not only on errors), the results table and reporter logs are printed after linters complete, and parallel-run logs are no longer interleaved
  • YAML_V8R_CONFIG_FILE / JSON_V8R_CONFIG_FILE are now correctly applied (the v8r --catalogs option is wired through)
  • lychee: fix the configured headers / Accept settings being ignored
  • Custom flavor builder: works correctly for repositories whose name contains uppercase characters
  • Docs: corrected the documented default value for the pre-commands cwd option

• Reporters

  • Comment reporters (GitHub, GitLab, Azure DevOps, Bitbucket) now work when running MegaLinter from Jenkins CI
  • GitlabCommentReporter activates as soon as GITLAB_ACCESS_TOKEN_MEGALINTER is set (no longer requires CI_JOB_TOKEN)
  • BitbucketCommentReporter: per-linter sections rendered as ### headings (Bitbucket Cloud markdown was displaying the previous <details> HTML tags as literal text)
  • Display a default user notification on PR/console reports inviting users to read the MegaLinter 9.5.0 release announcement. Can be disabled by setting SECURITY_SUGGESTIONS: false.

• Flavors

  • Multi-arch images: In custom flavors, linters can now build for linux/arm64 in addition to linux/amd64 whenever possible (Apple Silicon, AWS Graviton, Ampere…)

• Doc

  • Add documentation for the megalinter-ado Azure DevOps extension and the megalinter-mcp-server MCP server
  • Explicitly discourage the use of Personal Access Tokens (PAT) in workflows for security reasons

• mega-linter-runner

  • New --list-vars [pattern] flag (with --json) lists every MegaLinter env variable that can be passed via -e, with type, default, allowed values and examples (handy for AI coding agents)
  • -e ENABLE_LINTERS=YAML_PRETTIER,YAML_YAMLLINT no longer silently drops values after the first comma (#​7500). The --env=KEY=VALUE long form is also accepted.

• Dev

  • Add CLAUDE.md and a set of /add-linter, /update-linter-version, /review-descriptor, /fix-linter-test, /add-reporter, /add-flavor, /build, /diagnose-config, /fix-security-issue skills to help work on MegaLinter with coding agents (Claude Code, GitHub Copilot, Codex, gemini-cli…)
  • Migrate copilot-instructions into Claude Code Agents & Skills
  • New descriptor capabilities for custom linter integrations: cli_lint_extra_args_after per lint mode (list_of_files / project / file), a {file} template variable usable in command-line args, and a customizable files separator

• CI

  • Run ARM linter jobs only when the commit message contains "ARM" (avoids 200 jobs per PR)
  • Do not push a fix commit if only markdown or JSON files were updated
  • Run osv-scanner on MegaLinter's own sources
  • Optimize the linter-job matrix for dependabot and renovate PRs
  • Exclude test dependencies from dependabot
  • Faster Docker image builds: optimized Dockerfile layer order, buildx layer cache (type=gha, zstd-compressed) on all deploy workflows, DEV pipeline split into parallel jobs sharing the image via cache, and cargo-based tools (sarif-fmt, zizmor, shellcheck-sarif, stylua) built in parallel multi-stage builders so the Rust toolchain no longer ships in the final image (except for clippy)
  • Hardened MegaLinter's own GitHub Actions workflows against script injection via untrusted PR contexts (zizmor findings)

• Linter versions upgrades (62)

  • actionlint from 1.7.11 to 1.7.12
  • ansible-lint from 26.2.0 to 26.4.0
  • bicep_linter from 0.41.2 to 0.43.8
  • black from 26.1.0 to 26.3.1
  • cfn-lint from 1.45.0 to 3.14
  • checkov from 3.2.506 to 3.2.529
  • clippy from 0.1.93 to 0.1.95
  • clj-kondo from 2026.01.19 to 2025.01.16
  • code-analyzer-apex from 5.10.0 to 5.12.0
  • code-analyzer-aura from 5.10.0 to 5.12.0
  • code-analyzer-lwc from 5.10.0 to 5.12.0
  • codespell from 2.4.1 to 2.4.2
  • cspell from 9.7.0 to 10.0.0
  • dartanalyzer from 3.11.1 to 3.11.6
  • dotnet-format from 9.0.114 to 10.0.108
  • eslint from 9.39.4 to 10.3.0
  • gitleaks from 8.30.0 to 8.30.1
  • golangci-lint from 2.10.1 to 2.11.4
  • grype from 0.109.0 to 0.112.0
  • htmlhint from 1.9.1 to 1.9.2
  • isort from 8.0.0 to 8.0.1
  • jscpd from 4.0.8 to 4.1.1
  • kics from 2.1.19 to 2.1.20
  • kingfisher from 1.84.0 to 1.99.0
  • kubescape from 4.0.2 to 4.0.8
  • lychee from 0.18.0 to 0.24.2
  • markdownlint from 0.47.0 to 0.48.0
  • npm-groovy-lint from 16.2.0 to 17.0.5
  • npm-package-json-lint from 9.1.0 to 10.4.0
  • osv-scanner from 2.3.5 to 2.3.8
  • php-cs-fixer from 3.94.2 to 3.95.2
  • phpstan from 2.1.40 to 2.1.54
  • pmd from 7.22.0 to 7.24.0
  • powershell from 7.5.4 to 7.6.1
  • powershell_formatter from 7.5.4 to 7.6.1
  • prettier from 3.8.1 to 3.8.3
  • psalm from Psalm.6.15.1@​ to Psalm.6.16.1@​
  • pyright from 1.1.408 to 1.1.409
  • raku from 2025.11 to 2026.03
  • revive from 1.14.0 to 1.15.0
  • robocop from 8.2.2 to 8.2.8
  • rubocop from 1.85.0 to 1.86.2
  • ruff from 0.15.4 to 0.15.13
  • ruff-format from 0.15.4 to 0.15.13
  • rumdl from 0.1.32 to 0.1.93
  • secretlint from 11.3.1 to 11.7.1
  • semgrep from 1.153.1 to 1.163.0
  • shfmt from 3.12.0 to 3.13.1
  • snakefmt from 0.11.4 to 1.1.0
  • snakemake from 9.16.3 to 9.21.0
  • sqlfluff from 4.0.4 to 4.2.1
  • stylelint from 16.26.1 to 17.11.0
  • stylua from 2.0.0 to 2.4.1
  • syft from 1.42.1 to 1.44.0
  • terraform-fmt from 1.14.5 to 1.15.2
  • terragrunt from 0.99.4 to 1.0.4
  • tflint from 0.61.0 to 0.62.1
  • trivy from 0.69.1 to 0.70.0
  • trivy-sbom from 0.69.1 to 0.70.0
  • trufflehog from 3.93.6 to 3.95.3
  • vale from 3.13.1 to 3.14.2
  • zizmor from 1.23.1 to 1.25.0

---

Configuration

📅 Schedule: Branch creation - "on monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

✅MegaLinter analysis: Success

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes		no	no	10.11s
✅ REPOSITORY	gitleaks	yes		no	no	58.63s
✅ REPOSITORY	git_diff	yes		no	no	0.69s
✅ REPOSITORY	secretlint	yes		no	no	36.02s
✅ REPOSITORY	trivy	yes		no	no	19.47s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository