Bump docker/metadata-action from 5.7.0 to 5.8.0 #348

dependabot · 2025-08-01T15:27:01Z

Bumps docker/metadata-action from 5.7.0 to 5.8.0.

Release notes

Sourced from docker/metadata-action's releases.

v5.8.0

New is_not_default_branch global expression by @crazy-max in docker/metadata-action#535

Allow to match part of the git tag or value for semver/pep440 types by @crazy-max in docker/metadata-action#536 docker/metadata-action#537

Bump @actions/github from 6.0.0 to 6.0.1 in docker/metadata-action#523

Bump @docker/actions-toolkit from 0.56.0 to 0.62.1 in docker/metadata-action#526

Bump form-data from 2.5.1 to 2.5.5 in docker/metadata-action#533

Bump moment-timezone from 0.5.47 to 0.6.0 in docker/metadata-action#525

Bump semver from 7.7.1 to 7.7.2 in docker/metadata-action#524

Full Changelog: docker/metadata-action@v5.7.0...v5.8.0

Commits

c1e5197 Merge pull request #537 from crazy-max/pep440-match
89dd65a chore: update generated content
699ee45 allow to match part of the git tag or value for pep440 type
e0542a6 Merge pull request #536 from crazy-max/semver-match
b7facdf chore: update generated content
81c60df allow to match part of the git tag or value for semver type
de11195 Merge pull request #535 from crazy-max/not_def_branch
2f9c64b Merge pull request #533 from docker/dependabot/npm_and_yarn/form-data-2.5.5
510f746 chore: update generated content
2bc3f4e is_not_default_branch global expression
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5.7.0 to 5.8.0. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@902fa8e...c1e5197) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: 5.8.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2025-08-01T15:29:24Z

Deleted: /tmp/prior-commit/node_modules/@docker/actions-toolkit/lib/hubRepository.d.ts [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
-MEDIUM	fs/path/relative	references and possibly executes relative path	./types
-LOW	net/http	Uses the HTTP protocol	http
-LOW	net/url/embedded	contains embedded HTTP URLs	http://www.apache.org/licenses/LICENSE-2.0

Deleted: /tmp/prior-commit/node_modules/@docker/actions-toolkit/lib/hubRepository.js [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
-MEDIUM	c2/addr/url	contains hardcoded endpoint with a question mark	https://auth.docker.io/token?service=registry require .get(
-MEDIUM	fs/path/relative	references and possibly executes relative path	./dockerhub ./types
-MEDIUM	net/download	download files	downloadTool
-LOW	c2/tool_transfer/arch	references a specific architecture	https:// http:// amd64
-LOW	c2/tool_transfer/os	references a specific operating system	https:// http:// windows
-LOW	data/encoding/json_decode	Decodes JSON messages	JSON.parse
-LOW	fs/directory/list	Uses NodeJS functions to list a directory	.readdirSync(
-LOW	net/http	Uses the HTTP protocol	http
-LOW	net/http/auth	makes HTTP requests with Bearer authentication	Authorization Bearer
-LOW	net/http/request	makes HTTP requests	http.get
-LOW	net/url/embedded	contains embedded HTTPS URLs	https://auth.docker.io/token?service=registry.docker.io https://registry-1.docker.io/v2/

Added: /tmp/current-commit/node_modules/moment-timezone/moment-timezone.d.ts [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
+MEDIUM	fs/path/relative	references and possibly executes relative path	./index

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/types/regclient/regclient.js [🔵 LOW]

RISK	KEY	DESCRIPTION	EVIDENCE
+LOW	net/http	Uses the HTTP protocol	http
+LOW	net/url/embedded	contains embedded HTTP URLs	http://www.apache.org/licenses/LICENSE-2.0

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/regclient/regctl.d.ts [🔵 LOW]

RISK	KEY	DESCRIPTION	EVIDENCE
+LOW	net/http	Uses the HTTP protocol	http
+LOW	net/url/embedded	contains embedded HTTP URLs	http://www.apache.org/licenses/LICENSE-2.0

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/regclient/regctl.js [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
+MEDIUM	exec/cmd/pipe	launches program and reads its output	getExecOutput
+MEDIUM	exec/program	executes external program	exec(ver) require
+LOW	data/encoding/json_decode	Decodes JSON messages	JSON.parse
+LOW	net/http	Uses the HTTP protocol	http
+LOW	net/url/embedded	contains embedded HTTP URLs	http://www.apache.org/licenses/LICENSE-2.0

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/types/regclient/regclient.d.ts [🟡 MEDIUM]

RISK	KEY	DESCRIPTION	EVIDENCE
+MEDIUM	net/download	download files	interface DownloadVersion downloadURL
+LOW	net/http	Uses the HTTP protocol	http
+LOW	net/url/embedded	contains embedded HTTP URLs	http://www.apache.org/licenses/LICENSE-2.0

Changed (20 added, 0 removed): /tmp/current-commit/node_modules/node-fetch/lib/index.mjs [🔵 → 🛑 HIGH]

20 new behaviors

RISK	KEY	DESCRIPTION	EVIDENCE
+HIGH	exec/remote_commands/code_eval	Executes code from a complex expression	exec(res.pop())
+MEDIUM	exec/program	executes external program	exec(res.pop()) exec(urlStr)) exec(str) exec(ct) require
+MEDIUM	impact/remote_access/agent	references an 'agent'	agent
+MEDIUM	net/http/form_upload	upload content via HTTP form	application/x-www-form-urlencoded POST
+MEDIUM	net/http/post	submits content to websites	Content-Type HTTP http POST
+MEDIUM	net/url/encode	encodes URL, likely to pass GET variables	urlencode
+MEDIUM	net/url/request	requests resources via URL	http.request
+LOW	data/compression/gzip	works with gzip files	gzip
+LOW	data/compression/zlib	uses zlib	zlib
+LOW	data/encoding/int	parses integers	parseInt(
+LOW	data/encoding/json_decode	Decodes JSON messages	JSON.parse
+LOW	exec/imports/python	imports python modules	import whatwgUrl import Stream import https import zlib import Url
+LOW	net/http	Uses the HTTP protocol	http HTTP
+LOW	net/http/accept_encoding	set HTTP response encoding format (example: gzip)	Accept-Encoding
+LOW	net/http/auth	makes HTTP requests with basic authentication	www-authenticate
+LOW	net/http/request	makes HTTP requests	User-Agent
+LOW	net/socket/send	send a message to a socket	socket send
+LOW	net/url/embedded	contains embedded HTTPS URLs	https://github.com/tmpvar/jsdom/blob/aa85b2abf07766ff7bf5c1f6daafb3726f2f node-fetch/node-fetch#296 https://tools.ietf.org/html/rfc3986 https://hsivonen.fi/encoding-menu/ https://fetch.spec.whatwg.org/
+LOW	net/url/parse	Handles URL strings	new URL
+LOW	os/fd/write	writes to a file handle	dest.write(body)

dependabot bot added dependencies Pull requests that update a dependency file github_actions Pull requests that update GitHub Actions code minor Minor semver labels Aug 1, 2025

some-natalie merged commit 06ba400 into main Aug 1, 2025
6 checks passed

some-natalie deleted the dependabot/github_actions/docker/metadata-action-5.8.0 branch August 1, 2025 17:57

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump docker/metadata-action from 5.7.0 to 5.8.0 #348

Bump docker/metadata-action from 5.7.0 to 5.8.0 #348

Uh oh!

dependabot bot commented on behalf of github Aug 1, 2025

Uh oh!

github-actions bot commented Aug 1, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Bump docker/metadata-action from 5.7.0 to 5.8.0 #348

Bump docker/metadata-action from 5.7.0 to 5.8.0 #348

Uh oh!

Conversation

dependabot bot commented on behalf of github Aug 1, 2025

v5.8.0

Uh oh!

github-actions bot commented Aug 1, 2025

Deleted: /tmp/prior-commit/node_modules/@docker/actions-toolkit/lib/hubRepository.d.ts [🟡 MEDIUM]

Deleted: /tmp/prior-commit/node_modules/@docker/actions-toolkit/lib/hubRepository.js [🟡 MEDIUM]

Added: /tmp/current-commit/node_modules/moment-timezone/moment-timezone.d.ts [🟡 MEDIUM]

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/types/regclient/regclient.js [🔵 LOW]

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/regclient/regctl.d.ts [🔵 LOW]

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/regclient/regctl.js [🟡 MEDIUM]

Added: /tmp/current-commit/node_modules/@docker/actions-toolkit/lib/types/regclient/regclient.d.ts [🟡 MEDIUM]

Changed (20 added, 0 removed): /tmp/current-commit/node_modules/node-fetch/lib/index.mjs [🔵 → 🛑 HIGH]

20 new behaviors

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants