From 804f1d89751502f16902bd1543a34b1fe98f1077 Mon Sep 17 00:00:00 2001 From: Ludy Date: Sun, 28 Dec 2025 00:56:57 +0100 Subject: [PATCH 1/5] deps(ci): update Dependabot, pre-commit tooling, and testing dependencies (#5170) # Description of Changes This pull request updates dependency management and CI/CD configurations to improve automation, security, and maintainability. The most significant changes include expanding Dependabot coverage to more directories and ecosystems, updating pre-commit and Python dependency versions, and pinning action versions in GitHub workflows for better reproducibility and security. **Dependency Management Improvements:** * Expanded Dependabot configuration in `.github/dependabot.yml` to include additional directories and package ecosystems such as npm, docker, cargo, and pip, ensuring automated dependency updates across more parts of the project. * Updated Python dependencies in `.github/scripts/requirements_pre_commit.txt` to newer versions for `cfgv`, `filelock`, `platformdirs`, `pre-commit`, and `virtualenv`, improving compatibility and security. [[1]](diffhunk://#diff-4b865d764c6955aa3ab06c7beff7c08a122e5145c1f0fecd7b4fd4575848b598L7-R17) [[2]](diffhunk://#diff-4b865d764c6955aa3ab06c7beff7c08a122e5145c1f0fecd7b4fd4575848b598L27-R33) [[3]](diffhunk://#diff-4b865d764c6955aa3ab06c7beff7c08a122e5145c1f0fecd7b4fd4575848b598L110-R112) * Added `tomli-w` to `.github/scripts/requirements_sync_readme.in` and `.github/scripts/requirements_sync_readme.txt` for TOML file writing support. [[1]](diffhunk://#diff-e359c7d332d374a67300c004d7bab6c37cb16b5e1b9c8cd63adf2b59462c1f06R2) [[2]](diffhunk://#diff-cf0fa825b1295e115dbbe842a6f179ed0c72dd80b758d3238ab792cdd0013a4cR7-R10) **CI/CD Workflow Enhancements:** * Updated installation commands in `.github/workflows/check_toml.yml` and `.github/workflows/sync_files_v2.yml` to use hashed and version-pinned dependencies, improving reproducibility and security. Also removed redundant dependency installation in the sync workflow. [[1]](diffhunk://#diff-3117b4a93711d37b0a9a1668272eec716fea0b4f57dde16a85e7ab3f569c455dL203-R203) [[2]](diffhunk://#diff-b1acd58f6bdc16d0f02514058f8842a8ec3c90e8771f6a1e83801fa14ee5041cL56-R56) [[3]](diffhunk://#diff-b1acd58f6bdc16d0f02514058f8842a8ec3c90e8771f6a1e83801fa14ee5041cL68-L70) * Pinned GitHub Actions versions in `.github/workflows/deploy-on-v2-commit.yml` by using commit SHAs for actions such as `actions/checkout`, `docker/setup-buildx-action`, `docker/login-action`, and `docker/build-push-action`, ensuring builds use known-good versions. [[1]](diffhunk://#diff-f8b6ec3c0af9cd2d8dffef6f3def2be6357fe596a606850ca7f5d799e1349069L26-R29) [[2]](diffhunk://#diff-f8b6ec3c0af9cd2d8dffef6f3def2be6357fe596a606850ca7f5d799e1349069L89-R96) [[3]](diffhunk://#diff-f8b6ec3c0af9cd2d8dffef6f3def2be6357fe596a606850ca7f5d799e1349069L109-R109) **Pre-commit Configuration Updates:** * Updated hooks in `.pre-commit-config.yaml` to newer versions for `ruff-pre-commit`, `gitleaks`, and `pre-commit-hooks`, providing enhanced linting and security scanning. [[1]](diffhunk://#diff-63a9c44a44acf85fea213a857769990937107cf072831e1a26808cfde9d096b9L3-R3) [[2]](diffhunk://#diff-63a9c44a44acf85fea213a857769990937107cf072831e1a26808cfde9d096b9L25-R29) --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. --- .github/dependabot.yml | 35 ++++++++++++++++++++ .github/scripts/requirements_pre_commit.txt | 12 +++---- .github/scripts/requirements_sync_readme.in | 1 + .github/scripts/requirements_sync_readme.txt | 4 +++ .github/workflows/check_toml.yml | 2 +- .github/workflows/deploy-on-v2-commit.yml | 10 +++--- .github/workflows/sync_files_v2.yml | 6 +--- .pre-commit-config.yaml | 4 +-- testing/cucumber/requirements.txt | 26 +++++++-------- 9 files changed, 68 insertions(+), 32 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 356b0263f7..3ba752efaa 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,3 +21,38 @@ updates: directory: / schedule: interval: weekly + + - package-ecosystem: npm + directory: /devTools + schedule: + interval: "weekly" + + - package-ecosystem: docker + directory: /docker/backend + schedule: + interval: "weekly" + + - package-ecosystem: docker + directory: /docker/embedded + schedule: + interval: "weekly" + + - package-ecosystem: docker + directory: /docker/frontend + schedule: + interval: "weekly" + + - package-ecosystem: npm + directory: /frontend + schedule: + interval: "weekly" + + - package-ecosystem: cargo + directory: /frontend/src-tauri + schedule: + interval: "weekly" + + - package-ecosystem: pip + directory: /testing/cucumber + schedule: + interval: "weekly" diff --git a/.github/scripts/requirements_pre_commit.txt b/.github/scripts/requirements_pre_commit.txt index 459e46c2c6..b98227afb1 100644 --- a/.github/scripts/requirements_pre_commit.txt +++ b/.github/scripts/requirements_pre_commit.txt @@ -4,9 +4,9 @@ # # pip-compile --generate-hashes --output-file='.github\scripts\requirements_pre_commit.txt' --strip-extras '.github\scripts\requirements_pre_commit.in' # -cfgv==3.4.0 \ - --hash=sha256:b7265b1f29fd3316bfcd2b330d63d024f2bfd8bcb8b0272f8e19a504856c48f9 \ - --hash=sha256:e52591d4c5f5dead8e0f673fb16db7949d2cfb3f7da4582893288f0ded8fe560 +cfgv==3.5.0 \ + --hash=sha256:a8dc6b26ad22ff227d2634a65cb388215ce6cc96bbcc5cfde7641ae87e8dacc0 \ + --hash=sha256:d5b1034354820651caa73ede66a6294d6e95c1b00acc5e9b098e917404669132 # via pre-commit distlib==0.4.0 \ --hash=sha256:9659f7d87e46584a30b5780e43ac7a2143098441670ff0a49d5f9034c54a6c16 \ @@ -28,9 +28,9 @@ platformdirs==4.5.0 \ --hash=sha256:70ddccdd7c99fc5942e9fc25636a8b34d04c24b335100223152c2803e4063312 \ --hash=sha256:e578a81bb873cbb89a41fcc904c7ef523cc18284b7e3b3ccf06aca1403b7ebd3 # via virtualenv -pre-commit==4.3.0 \ - --hash=sha256:2b0747ad7e6e967169136edffee14c16e148a778a54e4f967921aa1ebf2308d8 \ - --hash=sha256:499fe450cc9d42e9d58e606262795ecb64dd05438943c62b66f6a8673da30b16 +pre-commit==4.5.0 \ + --hash=sha256:25e2ce09595174d9c97860a95609f9f852c0614ba602de3561e267547f2335e1 \ + --hash=sha256:dc5a065e932b19fc1d4c653c6939068fe54325af8e741e74e88db4d28a4dd66b # via -r .github/scripts/requirements_pre_commit.in pyyaml==6.0.3 \ --hash=sha256:00c4bdeba853cc34e7dd471f16b4114f4162dc03e6b7afcc2128711f0eca823c \ diff --git a/.github/scripts/requirements_sync_readme.in b/.github/scripts/requirements_sync_readme.in index 8141b83103..f7501c6d0e 100644 --- a/.github/scripts/requirements_sync_readme.in +++ b/.github/scripts/requirements_sync_readme.in @@ -1 +1,2 @@ tomlkit +tomli-w diff --git a/.github/scripts/requirements_sync_readme.txt b/.github/scripts/requirements_sync_readme.txt index eb0cd9bf7f..a5cf36a683 100644 --- a/.github/scripts/requirements_sync_readme.txt +++ b/.github/scripts/requirements_sync_readme.txt @@ -4,6 +4,10 @@ # # pip-compile --generate-hashes --output-file='.github\scripts\requirements_sync_readme.txt' --strip-extras '.github\scripts\requirements_sync_readme.in' # +tomli-w==1.2.0 \ + --hash=sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90 \ + --hash=sha256:2dd14fac5a47c27be9cd4c976af5a12d87fb1f0b4512f81d69cce3b35ae25021 + # via -r .github/scripts/requirements_sync_readme.in tomlkit==0.13.3 \ --hash=sha256:430cf247ee57df2b94ee3fbe588e71d362a941ebb545dec29b53961d61add2a1 \ --hash=sha256:c89c649d79ee40629a9fda55f8ace8c6a1b42deb912b2a8fd8d942ddadb606b0 diff --git a/.github/workflows/check_toml.yml b/.github/workflows/check_toml.yml index 2f3c4d7e55..afb70e0c95 100644 --- a/.github/workflows/check_toml.yml +++ b/.github/workflows/check_toml.yml @@ -200,7 +200,7 @@ jobs: - name: Install Python dependencies run: | - pip install tomli-w + pip install --require-hashes tomli-w==1.2.0 --hash sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90 - name: Run Python script to check files id: run-check diff --git a/.github/workflows/deploy-on-v2-commit.yml b/.github/workflows/deploy-on-v2-commit.yml index f2f90ccfa1..4309d5233d 100644 --- a/.github/workflows/deploy-on-v2-commit.yml +++ b/.github/workflows/deploy-on-v2-commit.yml @@ -23,10 +23,10 @@ jobs: egress-policy: audit - name: Checkout code - uses: actions/checkout@v4 + uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1 - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 + uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1 - name: Get commit hashes for frontend and backend id: commit-hashes @@ -86,14 +86,14 @@ jobs: - name: Login to Docker Hub - uses: docker/login-action@v3 + uses: docker/login-action@5e57cd118135c172c3672efd75eb46360885c0ef # v3.6.0 with: username: ${{ secrets.DOCKER_HUB_USERNAME }} password: ${{ secrets.DOCKER_HUB_API }} - name: Build and push frontend image if: steps.check-frontend.outputs.exists == 'false' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./docker/frontend/Dockerfile @@ -106,7 +106,7 @@ jobs: - name: Build and push backend image if: steps.check-backend.outputs.exists == 'false' - uses: docker/build-push-action@v6 + uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83 # v6.18.0 with: context: . file: ./docker/backend/Dockerfile diff --git a/.github/workflows/sync_files_v2.yml b/.github/workflows/sync_files_v2.yml index 8d8a6710b2..d72ba8a9da 100644 --- a/.github/workflows/sync_files_v2.yml +++ b/.github/workflows/sync_files_v2.yml @@ -53,8 +53,7 @@ jobs: cache: "pip" # caching pip dependencies - name: Install Python dependencies - run: | - pip install tomli-w + run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt - name: Sync translation TOML files run: | @@ -65,9 +64,6 @@ jobs: git add frontend/public/locales/*/translation.toml git diff --staged --quiet || git commit -m ":memo: Sync translation files (TOML)" || echo "No changes detected" - - name: Install README dependencies - run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt - - name: Sync README.md run: | python scripts/counter_translation_v3.py diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index d4c63e8a39..6541be4237 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,6 +1,6 @@ repos: - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.14.2 + rev: v0.14.8 hooks: - id: ruff args: @@ -22,7 +22,7 @@ repos: files: \.(html|css|js|py|md)$ exclude: (.vscode|.devcontainer|app/core/src/main/resources|app/proprietary/src/main/resources|Dockerfile|.*/pdfjs.*|.*/thirdParty.*|bootstrap.*|.*\.min\..*|.*diff\.js) - repo: https://github.com/gitleaks/gitleaks - rev: v8.28.0 + rev: v8.30.0 hooks: - id: gitleaks - repo: https://github.com/pre-commit/pre-commit-hooks diff --git a/testing/cucumber/requirements.txt b/testing/cucumber/requirements.txt index 80c32cc3c1..aa078aa00f 100644 --- a/testing/cucumber/requirements.txt +++ b/testing/cucumber/requirements.txt @@ -7,10 +7,10 @@ behave==1.3.3 \ --hash=sha256:2b8f4b64ed2ea756a5a2a73e23defc1c4631e9e724c499e46661778453ebaf51 \ --hash=sha256:89bdb62af8fb9f147ce245736a5de69f025e5edfb66f1fbe16c5007493f842c0 - # via -r requirements.in -certifi==2025.10.5 \ - --hash=sha256:0f212c2744a9bb6de0c56639a6f68afe01ecd92d91f14ae897c4fe7bbeeef0de \ - --hash=sha256:47c09d31ccf2acf0be3f701ea53595ee7e0b8fa08801c6624be771df09ae7b43 + # via -r testing/cucumber/requirements.in +certifi==2025.11.12 \ + --hash=sha256:97de8790030bbd5c2d96b7ec782fc2f7820ef8dba6db909ccf95449f2d062d4b \ + --hash=sha256:d8ab5478f2ecd78af242878415affce761ca6bc54a22a27e026d7c25357c3316 # via requests charset-normalizer==3.4.4 \ --hash=sha256:027f6de494925c0ab2a55eab46ae5129951638a49a34d87f4c3eda90f696b4ad \ @@ -137,9 +137,9 @@ cucumber-expressions==18.0.1 \ --hash=sha256:86230d503cdda7ef35a1f2072a882d7d57c740aa4c163c82b07f039b6bc60c42 \ --hash=sha256:86ce41bf28ee520408416f38022e5a083d815edf04a0bd1dae46d474ca597c60 # via behave -cucumber-tag-expressions==8.0.0 \ - --hash=sha256:4af80282ff0349918c332428176089094019af6e2a381a2fd8f1c62a7a6bb7e8 \ - --hash=sha256:bfe552226f62a4462ee91c9643582f524af84ac84952643fb09057580cbb110a +cucumber-tag-expressions==8.1.0 \ + --hash=sha256:1de26f183b1e8748e881189edd4bcdf4a80d7ed1011ad7b38cf141fcdcc51094 \ + --hash=sha256:acc56dd19b7bd0b931fc7b124ebbb6737def0775be41186ace7f5e566338ce7d # via behave idna==3.11 \ --hash=sha256:771a87f49d9defaf64091e6e6fe9c18d4833f140bd19464795bc32d966ca37ea \ @@ -290,15 +290,15 @@ pycryptodome==3.23.0 \ --hash=sha256:dea827b4d55ee390dc89b2afe5927d4308a8b538ae91d9c6f7a5090f397af1aa \ --hash=sha256:e3f2d0aaf8080bda0587d58fc9fe4766e012441e2eed4269a77de6aea981c8be \ --hash=sha256:eb8f24adb74984aa0e5d07a2368ad95276cf38051fe2dc6605cbcf482e04f2a7 - # via -r requirements.in + # via -r testing/cucumber/requirements.in pypdf==6.4.0 \ --hash=sha256:4769d471f8ddc3341193ecc5d6560fa44cf8cd0abfabf21af4e195cc0c224072 \ --hash=sha256:55ab9837ed97fd7fcc5c131d52fcc2223bc5c6b8a1488bbf7c0e27f1f0023a79 - # via -r requirements.in -reportlab==4.4.4 \ - --hash=sha256:299b3b0534e7202bb94ed2ddcd7179b818dcda7de9d8518a57c85a58a1ebaadb \ - --hash=sha256:cb2f658b7f4a15be2cc68f7203aa67faef67213edd4f2d4bdd3eb20dab75a80d - # via -r requirements.in + # via -r testing/cucumber/requirements.in +reportlab==4.4.5 \ + --hash=sha256:0457d642aa76df7b36b0235349904c58d8f9c606a872456ed04436aafadc1510 \ + --hash=sha256:849773d7cd5dde2072fedbac18c8bc909506c8befba8f088ba7b09243c6684cc + # via -r testing/cucumber/requirements.in requests==2.32.5 \ --hash=sha256:2462f94637a34fd532264295e186976db0f5d453d1cdd31473c85a6a161affb6 \ --hash=sha256:dbba0bac56e100853db0ea71b82b4dfd5fe2bf6d3754a8893c3af500cec7d7cf From 42f9384ece7a3417a5b1e0ac93f5241dfbed440d Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Sun, 28 Dec 2025 12:42:04 +0000 Subject: [PATCH 2/5] build(deps): bump debian from `7cb087f` to `1c25564` in /docker/embedded (#5310) Bumps debian from `7cb087f` to `1c25564`. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=debian&package-manager=docker&previous-version=stable-slim&new-version=stable-slim)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- docker/embedded/Dockerfile | 2 +- docker/embedded/Dockerfile.fat | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docker/embedded/Dockerfile b/docker/embedded/Dockerfile index 439c49e6f3..12067bc7a8 100644 --- a/docker/embedded/Dockerfile +++ b/docker/embedded/Dockerfile @@ -37,7 +37,7 @@ RUN DISABLE_ADDITIONAL_FEATURES=false \ # Stage 2: Runtime image based on Debian stable-slim # Contains Java runtime + LibreOffice + Calibre + all PDF tools -FROM debian:stable-slim@sha256:7cb087f19bcc175b96fbe4c2aef42ed00733a659581a80f6ebccfd8fe3185a3d +FROM debian:stable-slim@sha256:1c25564b03942d874bf6a2b71f2062b71af8bc1475aa873c523e6f7c8fa29e60 SHELL ["/bin/bash", "-o", "pipefail", "-c"] ENV DEBIAN_FRONTEND=noninteractive diff --git a/docker/embedded/Dockerfile.fat b/docker/embedded/Dockerfile.fat index 028a7067ac..1fe61b67a7 100644 --- a/docker/embedded/Dockerfile.fat +++ b/docker/embedded/Dockerfile.fat @@ -37,7 +37,7 @@ RUN DISABLE_ADDITIONAL_FEATURES=false \ # Stage 2: Runtime image based on Debian stable-slim # Contains Java runtime + LibreOffice + Calibre + all PDF tools + extra fonts for air-gapped environments -FROM debian:stable-slim@sha256:7cb087f19bcc175b96fbe4c2aef42ed00733a659581a80f6ebccfd8fe3185a3d +FROM debian:stable-slim@sha256:1c25564b03942d874bf6a2b71f2062b71af8bc1475aa873c523e6f7c8fa29e60 SHELL ["/bin/bash", "-o", "pipefail", "-c"] ENV DEBIAN_FRONTEND=noninteractive From 915a33bbc23fa1c8142c3be1bf1c9f3934a0d9cb Mon Sep 17 00:00:00 2001 From: Ludy Date: Mon, 29 Dec 2025 11:33:57 +0100 Subject: [PATCH 3/5] fix(ci): correct pip --require-hashes usage in TOML check workflow (#5336) # Description of Changes This pull request updates the Python dependency installation step in the `.github/workflows/check_toml.yml` workflow. Instead of installing a single dependency directly, it now installs all dependencies listed in a requirements file, which helps centralize and manage dependencies more effectively. Dependency management improvements: * Changed the Python dependency installation to use the `requirements_sync_readme.txt` file, allowing for easier updates and consistent dependency management. (.github/workflows/check_toml.yml) --- ## Checklist ### General - [ ] I have read the [Contribution Guidelines](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/CONTRIBUTING.md) - [ ] I have read the [Stirling-PDF Developer Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md) (if applicable) - [ ] I have read the [How to add new languages to Stirling-PDF](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md) (if applicable) - [ ] I have performed a self-review of my own code - [ ] My changes generate no new warnings ### Documentation - [ ] I have updated relevant docs on [Stirling-PDF's doc repo](https://github.com/Stirling-Tools/Stirling-Tools.github.io/blob/main/docs/) (if functionality has heavily changed) - [ ] I have read the section [Add New Translation Tags](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/HowToAddNewLanguage.md#add-new-translation-tags) (for new translation tags only) ### Translations (if applicable) - [ ] I ran [`scripts/counter_translation.py`](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/docs/counter_translation.md) ### UI Changes (if applicable) - [ ] Screenshots or videos demonstrating the UI changes are attached (e.g., as comments or direct attachments in the PR) ### Testing (if applicable) - [ ] I have tested my changes locally. Refer to the [Testing Guide](https://github.com/Stirling-Tools/Stirling-PDF/blob/main/devGuide/DeveloperGuide.md#6-testing) for more details. --- .github/workflows/check_toml.yml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/.github/workflows/check_toml.yml b/.github/workflows/check_toml.yml index afb70e0c95..dd5a28ac36 100644 --- a/.github/workflows/check_toml.yml +++ b/.github/workflows/check_toml.yml @@ -199,8 +199,7 @@ jobs: python-version: "3.12" - name: Install Python dependencies - run: | - pip install --require-hashes tomli-w==1.2.0 --hash sha256:188306098d013b691fcadc011abd66727d3c414c571bb01b1a174ba8c983cf90 + run: pip install --require-hashes -r ./.github/scripts/requirements_sync_readme.txt - name: Run Python script to check files id: run-check From 16cd453870549ea635e3b66d48b6992e6e0e2057 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Dec 2025 15:53:23 +0000 Subject: [PATCH 4/5] build(deps): bump org.sonarqube from 7.1.0.6387 to 7.2.2.6593 (#5313) Bumps org.sonarqube from 7.1.0.6387 to 7.2.2.6593. [![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=org.sonarqube&package-manager=gradle&previous-version=7.1.0.6387&new-version=7.2.2.6593)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- build.gradle | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/build.gradle b/build.gradle index e9b010c9e9..cb5580ef32 100644 --- a/build.gradle +++ b/build.gradle @@ -8,7 +8,7 @@ plugins { id "com.diffplug.spotless" version "8.1.0" id "com.github.jk1.dependency-license-report" version "3.0.1" //id "nebula.lint" version "19.0.3" - id "org.sonarqube" version "7.1.0.6387" + id "org.sonarqube" version "7.2.2.6593" } import com.github.jk1.license.render.* From 8f1af5f967556e3685ae8ca620b892ec8cc42a4f Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 29 Dec 2025 15:53:41 +0000 Subject: [PATCH 5/5] build(deps-dev): bump stylelint from 16.26.0 to 16.26.1 in /devTools (#5314) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bumps [stylelint](https://github.com/stylelint/stylelint) from 16.26.0 to 16.26.1.
Release notes

Sourced from stylelint's releases.

16.26.1

It fixes numerous false positive bugs, including many in the declaration-property-value-no-unknown rule for the latest CSS specifications.

  • Fixed: *-no-unknown false positives for latest specs by integrating @csstools/css-syntax-patches-for-csstree (#8850) (@​romainmenke).
  • Fixed: at-rule-no-unknown false positives for @function (#8851) (@​jeddy3).
  • Fixed: declaration-property-value-no-unknown false positives for attr(), if() and custom functions (#8853) (@​jeddy3).
  • Fixed: function-url-quotes false positives when URLs require quoting (#8804) (@​taearls).
  • Fixed: selector-pseudo-element-no-unknown false positives for ::scroll-button() (#8856) (@​Mouvedia).
Changelog

Sourced from stylelint's changelog.

16.26.1 - 2025-11-28

It fixes numerous false positive bugs, including many in the declaration-property-value-no-unknown rule for the latest CSS specifications.

  • Fixed: *-no-unknown false positives for latest specs by integrating @csstools/css-syntax-patches-for-csstree (#8850) (@​romainmenke).
  • Fixed: at-rule-no-unknown false positives for @function (#8851) (@​jeddy3).
  • Fixed: declaration-property-value-no-unknown false positives for attr(), if() and custom functions (#8853) (@​jeddy3).
  • Fixed: function-url-quotes false positives when URLs require quoting (#8804) (@​taearls).
  • Fixed: selector-pseudo-element-no-unknown false positives for ::scroll-button() (#8856) (@​Mouvedia).
Commits
  • b968143 Release 16.26.1 (#8857)
  • 2b24b9c Fix selector-pseudo-element-no-unknown false positives for `::scroll-button...
  • f152564 Fix *-no-unknown false positives for latest specs by integrating `@csstools...
  • 431cb53 Fix at-rule-no-unknown false positives for @function (#8851)
  • 119097e Fix declaration-property-value-no-unknown false positives for attr() and ...
  • 4b9c68b Fix function-url-quotes false positives when URLs require quoting (#8804)
  • 8cc4ced Bump rollup from 4.52.5 to 4.53.2 (#8848)
  • 4383feb Bump file-entry-cache from 11.1.0 to 11.1.1 (#8846)
  • a8a7560 Bump the eslint group with 2 updates (#8845)
  • 947ad33 Fix patch-package warning about mismatched @types/css-tree version (#8844)
  • See full diff in compare view

[![Dependabot compatibility score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=stylelint&package-manager=npm_and_yarn&previous-version=16.26.0&new-version=16.26.1)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) ---
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
Signed-off-by: dependabot[bot] Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> --- devTools/package-lock.json | 37 ++++++++++++++++++++++++++++++++----- devTools/package.json | 2 +- 2 files changed, 33 insertions(+), 6 deletions(-) diff --git a/devTools/package-lock.json b/devTools/package-lock.json index 743ae59698..634fcad9a6 100644 --- a/devTools/package-lock.json +++ b/devTools/package-lock.json @@ -9,7 +9,7 @@ "version": "1.0.0", "devDependencies": { "@stylistic/stylelint-plugin": "^4.0.0", - "stylelint": "^16.26.0", + "stylelint": "^16.26.1", "stylelint-config-standard": "^39.0.1" } }, @@ -78,6 +78,7 @@ } ], "license": "MIT", + "peer": true, "engines": { "node": ">=18" }, @@ -85,6 +86,26 @@ "@csstools/css-tokenizer": "^3.0.4" } }, + "node_modules/@csstools/css-syntax-patches-for-csstree": { + "version": "1.0.22", + "resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.0.22.tgz", + "integrity": "sha512-qBcx6zYlhleiFfdtzkRgwNC7VVoAwfK76Vmsw5t+PbvtdknO9StgRk7ROvq9so1iqbdW4uLIDAsXRsTfUrIoOw==", + "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/csstools" + }, + { + "type": "opencollective", + "url": "https://opencollective.com/csstools" + } + ], + "license": "MIT-0", + "engines": { + "node": ">=18" + } + }, "node_modules/@csstools/css-tokenizer": { "version": "3.0.4", "resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-3.0.4.tgz", @@ -101,6 +122,7 @@ } ], "license": "MIT", + "peer": true, "engines": { "node": ">=18" } @@ -896,6 +918,7 @@ "integrity": "sha512-eohl3hKTiVyD1ilYdw9T0OiB4hnjef89e3dMYKz+mVKDzj+5IteTseASUsOB+EU9Tf6VNTCjDePcP6wkDGmLKQ==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "@keyv/serialize": "^1.1.1" } @@ -1104,6 +1127,7 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "nanoid": "^3.3.11", "picocolors": "^1.1.1", @@ -1153,6 +1177,7 @@ "integrity": "sha512-8sLjZwK0R+JlxlYcTuVnyT2v+htpdrjDOKuMcOVdYjt52Lh8hWRYpxBPoKx/Zg+bcjc3wx6fmQevMmUztS/ccA==", "dev": true, "license": "MIT", + "peer": true, "dependencies": { "cssesc": "^3.0.0", "util-deprecate": "^1.0.2" @@ -1344,9 +1369,9 @@ "license": "ISC" }, "node_modules/stylelint": { - "version": "16.26.0", - "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-16.26.0.tgz", - "integrity": "sha512-Y/3AVBefrkqqapVYH3LBF5TSDZ1kw+0XpdKN2KchfuhMK6lQ85S4XOG4lIZLcrcS4PWBmvcY6eS2kCQFz0jukQ==", + "version": "16.26.1", + "resolved": "https://registry.npmjs.org/stylelint/-/stylelint-16.26.1.tgz", + "integrity": "sha512-v20V59/crfc8sVTAtge0mdafI3AdnzQ2KsWe6v523L4OA1bJO02S7MO2oyXDCS6iWb9ckIPnqAFVItqSBQr7jw==", "dev": true, "funding": [ { @@ -1359,8 +1384,10 @@ } ], "license": "MIT", + "peer": true, "dependencies": { "@csstools/css-parser-algorithms": "^3.0.5", + "@csstools/css-syntax-patches-for-csstree": "^1.0.19", "@csstools/css-tokenizer": "^3.0.4", "@csstools/media-query-list-parser": "^4.0.3", "@csstools/selector-specificity": "^5.0.0", @@ -1373,7 +1400,7 @@ "debug": "^4.4.3", "fast-glob": "^3.3.3", "fastest-levenshtein": "^1.0.16", - "file-entry-cache": "^11.1.0", + "file-entry-cache": "^11.1.1", "global-modules": "^2.0.0", "globby": "^11.1.0", "globjoin": "^0.1.4", diff --git a/devTools/package.json b/devTools/package.json index 043ba50fda..6791ae887b 100644 --- a/devTools/package.json +++ b/devTools/package.json @@ -7,7 +7,7 @@ }, "devDependencies": { "@stylistic/stylelint-plugin": "^4.0.0", - "stylelint": "^16.26.0", + "stylelint": "^16.26.1", "stylelint-config-standard": "^39.0.1" } }