chore(deps): update dependency jest to v30.4.2

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
jest (source)	30.0.5 → 30.4.2

---

Release Notes

jestjs/jest (jest)

v30.4.2

Compare Source

Fixes

• [jest-runtime] Fix named imports from CJS modules whose module.exports is a function with own-property exports (#​16150)

v30.4.1

Compare Source

Features

• [jest-config, jest-core, jest-runner, jest-schemas, jest-types] Allow custom runner configuration options via tuple format ['runner-path', {options}] (#​16141)

Fixes

• [jest-runtime] Align CJS-from-ESM default export with Node: module.exports is always the ESM default, __esModule unwrapping is no longer applied (#​16143)

v30.4.0

Compare Source

Features

• [babel-jest] Support collecting coverage from .mts, .cts (and other) files (#​15994)
• [jest-circus, jest-cli, jest-config, jest-core, jest-jasmine2, jest-types] Add --collect-tests flag to discover and list tests without executing them (#​16006)
• [jest-config, jest-runner, jest-worker] Add workerGracefulExitTimeout config option to control how long workers are given to exit before being force-killed (#​15984)
• [jest-config] Add support for jest.config.mts as a valid configuration file (#​16005)
• [jest-config, jest-core, jest-reporters, jest-runner] verbose and silent can now be set per-project; the project-level value overrides the global value for that project's tests (#​16133)
• [@jest/fake-timers] Accept Temporal.Duration in jest.advanceTimersByTime() and jest.advanceTimersByTimeAsync() (#​16128)
• [@jest/fake-timers] Accept Temporal.Instant and Temporal.ZonedDateTime in jest.setSystemTime() and useFakeTimers({now}) (#​16128)
• [@jest/fake-timers] Support faking Temporal.Now.* (#​16131)
• [jest-mock] Add clearMocksOnScope(scope) on ModuleMocker for clearing every mock function exposed on a scope object (#​16088)
• [jest-resolve] Add canResolveSync() on Resolver so callers can detect when a user-configured resolver only exports an async hook (#​16064)
• [jest-runtime] Use synchronous evaluate() for ES modules without top-level await on Node versions that support it (v24.9+), and prefer the synchronous transform path when a sync transformer is configured (#​16062)
• [jest-runtime] Support require() of ES modules on Node v24.9+ (#​16074)
• [jest-runtime] Validate TC39 import attributes (with { type: 'json' }) on ESM imports (#​16127)
• [@jest/transform] Add canTransformSync(filename) on ScriptTransformer so callers can pick the sync vs async transform path (#​16062)
• [jest-util] Add isError helper (#​16076)
• [pretty-format] Support React 19 (#​16123)

Fixes

• [expect-utils] Fix toStrictEqual failing on structuredClone results due to cross-realm constructor mismatch (#​15959)
• [@jest/expect-utils] Prevent toMatchObject/subset matching from throwing when encountering exotic iterables (#​15952)
• [fake-timers] Convert Date to milliseconds before passing to @sinonjs/fake-timers (#​16029)
• [jest] Export GlobalConfig and ProjectConfig TypeScript types (#​16132)
• [jest-circus] Prevent crash when asyncError is undefined for non-Error throws (#​16003)
• [jest-circus, jest-jasmine2] Include Error.cause in JSON failureMessages output (#​15967)
• [jest-config] Fix preset path resolution on Windows when the preset uses subpath exports (#​15961)
• [jest-config] Allow collectCoverage and coverageProvider in project config without a validation warning (#​16132)
• [jest-config] Project config validator now emits "is not supported in an individual project configuration" instead of "probably a typing mistake" for known global-only options (#​16132)
• [jest-environment-node] Fix --localstorage-file warning on Node 25+ (#​16086)
• [jest-reporters] Apply global coverage threshold to unmatched pattern files in addition to glob/path thresholds (#​16137)
• [jest-reporters, jest-runner, jest-runtime, jest-transform] Fix coverage report not showing correct code coverage when using projects config option (#​16140)
• [jest-runtime] Resolve expect and @jest/expect from the internal module registry so test-file imports share the same JestAssertionError as the global expect (#​16130)
• [jest-runtime] Improve CJS-from-ESM interop: __esModule/Babel default unwrap, broader named-export coverage, and shared CJS singleton across importers (#​16050)
• [jest-runtime] Load .js files with ESM syntax but no "type":"module" marker as native ESM (#​16050)
• [jest-runtime] Extend the .js-with-ESM-syntax fallback to require() on Node v24.9+ - falls back to require(esm) when the CJS parser rejects ESM syntax (#​16078)
• [jest-runtime] Fix deadlocks and double-evaluation in concurrent ESM and wasm imports (#​16050)
• [jest-runtime] Fix error when require() is called after the Jest environment has been torn down (#​15951)
• [jest-runtime] Fix missing error when import() is called after the Jest environment has been torn down (#​16080)
• [jest-runtime] Fix virtual unstable_mockModule registrations not respected in ESM (#​16081)
• [jest-runtime] Apply moduleNameMapper when resolving modules with require.resolve() and the paths option (#​16135)

Chore & Maintenance

• [@jest/fake-timers] Upgrade @sinonjs/fake-timers (#​16139)
• [jest-runtime] Use synchronous linkRequests / instantiate for ESM linking on Node v24.9+ (#​16063)

v30.3.0

Compare Source

Features

• [jest-config] Add defineConfig and mergeConfig helpers for type-safe Jest config (#​15844)
• [jest-fake-timers] Add setTimerTickMode to configure how timers advance
• [*] Reduce token usage when run through LLMs (3f17932)

Fixes

• [jest-config] Keep CLI coverage output when using --json with --outputFile (#​15918)
• [jest-mock] Use Symbol from test environment (#​15858)
• [jest-reporters] Fix issue where console output not displayed for GHA reporter even with silent: false option (#​15864)
• [jest-runtime] Fix issue where user cannot utilize dynamic import despite specifying --experimental-vm-modules Node option (#​15842)
• [jest-test-sequencer] Fix issue where failed tests due to compilation errors not getting re-executed even with --onlyFailures CLI option (#​15851)
• [jest-util] Make sure process.features.require_module is false (#​15867)

Chore & Maintenance

• [*] Replace remaining micromatch uses with picomatch
• [deps] Update to sinon/fake-timers v15
• [docs] Update V30 migration guide to notify users on jest.mock() work with case-sensitive path (#​15849)
• Updated Twitter icon to match the latest brand guidelines (#​15869)

v30.2.0

Compare Source

Chore & Maintenance

• [*] Update example repo for testing React Native projects (#​15832)
• [*] Update jest-watch-typeahead to v3 (#​15830)

v30.1.3

Compare Source

Fixes

• Fix unstable_mockModule with node: prefixed core modules.

v30.1.2

Compare Source

Fixes

• [jest-snapshot-utils] Correct snapshot header regexp to work with newline across OSes (#​15803)

v30.1.1

Compare Source

Fixes

• [jest-snapshot-utils] Fix deprecated goo.gl snapshot warning not handling Windows end-of-line sequences (#​15800)
• [jest-snapshot-utils] Improve messaging about goo.gl snapshot link change (#​15821)

v30.1.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ COPYPASTE	jscpd	yes		no	no	3.74s
✅ EDITORCONFIG	editorconfig-checker	2		0	0	0.01s
✅ JSON	jsonlint	1		0	0	0.67s
✅ JSON	npm-package-json-lint	yes		no	no	0.52s
⚠️ JSON	prettier	1	0	1	0	0.39s
✅ JSON	v8r	1		0	0	11.0s
❌ REPOSITORY	checkov	yes		5	no	22.91s
❌ REPOSITORY	devskim	yes		45	no	158.12s
✅ REPOSITORY	dustilock	yes		no	no	1.57s
✅ REPOSITORY	git_diff	yes		no	no	0.03s
❌ REPOSITORY	grype	yes		67	no	58.39s
❌ REPOSITORY	kics	yes		56	no	5.85s
❌ REPOSITORY	kingfisher	yes		1	no	6.21s
❌ REPOSITORY	secretlint	yes		1	no	1.04s
✅ REPOSITORY	syft	yes		no	no	7.06s
⚠️ REPOSITORY	trivy	yes		1	no	14.34s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.57s
✅ REPOSITORY	trufflehog	yes		no	no	3.96s
✅ SPELL	cspell	3		0	0	2.74s
❌ SPELL	lychee	2		1	0	0.8s
✅ YAML	prettier	1	0	0	0	0.36s
✅ YAML	v8r	1		0	0	1.28s
❌ YAML	yamllint	1		4	0	5.22s

Detailed Issues

❌ REPOSITORY / checkov - 5 errors

dockerfile scan results:

Passed checks: 77, Failed checks: 1, Skipped checks: 0

Check: CKV_DOCKER_3: "Ensure that a user for the container has been created"
	FAILED for resource: /Dockerfile.
	File: /Dockerfile:1-47
	Guide: https://docs.prismacloud.io/en/enterprise-edition/policy-reference/docker-policies/docker-policy-index/ensure-that-a-user-for-the-container-has-been-created

		1  | ARG NODE_VERSION=lts-slim
		2  | 
		3  | FROM node:${NODE_VERSION} AS dependencies
		4  | 
		5  | WORKDIR /app
		6  | 
		7  | ENV PNPM_HOME="/pnpm"
		8  | ENV PATH="$PNPM_HOME:$PATH"
		9  | 
		10 | RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store \
		11 |     --mount=type=bind,source=package.json,target=/app/package.json \
		12 |     --mount=type=bind,source=pnpm-lock.yaml,target=/app/pnpm-lock.yaml \
		13 |     corepack enable && \
		14 |     pnpm install --frozen-lockfile --strict-peer-dependencies
		15 | 
		16 | FROM dependencies AS builder
		17 | 
		18 | COPY --chown=node:node src/ /app/src
		19 | 
		20 | RUN --mount=type=bind,source=package.json,target=/app/package.json \
		21 |     --mount=type=bind,source=nest-cli.json,target=/app/nest-cli.json \
		22 |     --mount=type=bind,source=tsconfig.json,target=/app/tsconfig.json \
		23 |     --mount=type=bind,source=tsconfig.build.json,target=/app/tsconfig.build.json \
		24 |     pnpm build
		25 | 
		26 | FROM builder AS pruner
		27 | 
		28 | RUN --mount=type=cache,id=pnpm-store,target=/pnpm/store \
		29 |     --mount=type=bind,source=package.json,target=/app/package.json \
		30 |     --mount=type=bind,source=pnpm-lock.yaml,target=/app/pnpm-lock.yaml \
		31 |     pnpm prune --prod --ignore-scripts
		32 | 
		33 | FROM gcr.io/distroless/nodejs22-debian12:nonroot
		34 | 
		35 | WORKDIR /app
		36 | 
		37 | ENV PORT=3000
		38 | 
		39 | COPY --chown=nonroot:nonroot --from=pruner /app/node_modules ./node_modules
		40 | COPY --chown=nonroot:nonroot --from=builder /app/dist .
		41 | COPY --chown=nonroot:nonroot CHANGELOG.md LICENSE package.json /app/
		42 | 
		43 | EXPOSE ${PORT}
		44 | 
		45 | HEALTHCHECK --interval=30s --timeout=2s --start-period=10s --retries=2 CMD [ "/nodejs/bin/node", "bin/health-checker.js" ]
		46 | 
		47 | CMD ["main.js"]
github_actions scan results:

Passed checks: 212, Failed checks: 4, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(CI)
	File: /.github/workflows/ci.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Release)
	File: /.github/workflows/release.yml:0-1
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(Publish)
	File: /.github/workflows/publish.yml:11-12
Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(CodeQL)
	File: /.github/workflows/codeql-analysis.yml:27-28

❌ REPOSITORY / devskim - 45 errors

eee9c9fefee9a77bc79f12af1eecef9f9c3e79fa94fe7ef0e9c393a7e06c9a7c6af6e9ee3322efb3fbbb34fa8393e30734c8673bf77768203b34ba83877bc2e69f3edc3bf9f464efe4deeeeedee9fd03e2c4fbcf9e7e7a7c7aef806688a8754f84e6d32727bb4ff6ee3fdd3d79f894d8f0e0de8393a79f125d4e9eecdfdf2366b827b87dfa74ef805e7e7272efe9e9b3e3939367bbf788140ff630ea9353c2f444a09d9e1c936c1e3f7d4a442372ec7e7a40b376ef606fe71ef1170df9290fe1c1fe931d921ae2937bfb27bb9f9eee7cba73eff8c9e9fec983079f9e9e3e7970ffe4d13eb7fbf4d993a70f9fdc7b704ca3be7ff0ecc1dec983273b4f7677770f8e1fdebf77ff0981032f3d3878ba7342f4dcdd39bef7e993a7bb249e9f3e7d422cbefbe9318defdea7cf78100f48ad7c7a7af0ec64e7c983e3672433243aa7c77b3407f76970273ba7a78feea3d9b383bd27c4fcc7f4ff9d27c46544a307079f3ea119d9bdf7e401491d8ff560e7c1dee983277bbbc446f79e3e3938b97ff0e0fec1930734ddc4243468e1a583fbfbc7c7a7d4d3eefde39dfdd3839367fbbb4f1ed20c1e3c39d83b38dd3d7df8681fcd3e7db6f78438617f77fff4f8094d1d29076284d31312d59d7bbbc4c34cb983837d12d09387bbcf200e3411245aa459ee3d7d76ffe4d3873bc77b4439347bb2b3f780e4f3e421217eb2f7ece983e3270fee51934f1f1089779e3eb92fb811390f4e49d68f1f7e4af2\"","markdown":"`\"1f8b0800000000000400edbd07601c499625262f6dca7b7f4af54ad7e074a10880601324d8904010ecc188cde692ec1d69472329ab2a81ca6556655d661640cced9dbcf7de7befbdf7de7befbdf7ba3b9d4e27f7dfff3f5c6664016cf6ce4adac99e2180aac81f3f7e7c1f3f227676f6eeef3f7df0e4deb3ddfb4fee3f7d7a707ab0bbb7f7f4e1bdbde307a7270f3e3dd8f9f4d1ee6f9cececdcdb3978f0706f677fe7e1fefecebdfbf74e4f77f69f3d7c72bcff6cf7f4f8f4e4e19347f7b8d9c1ee83e3d307bb274f8f9f3e3c7876bcbbf3e9c3677b27fba73bf79e3c3cd87ff850a09ddc7ffaecf8e0fec3a7fbbb9f3e39dd39387978efe0e4d3ddbdfdfbc7270fee3d7c72c0d076a9a34f1f3c797afaf0c1b3d3bdbdbd9d9ddda727f7ef3dd83b3d7ef6f0d367a727cf1eeda1d9def1c9a79f3e79b6ffe9eea727f7768e9fed3f397d7af0f0d3e3e37b0feedf3fbeff644fa0ed9d9cdcdb23fcf61fec1cd3581fecef3ffd7467e7e1fde307f78f3fdd3939b8c7b8ed3ed939a5913ed8db7b72fce0de93277b7bbb4f9eecef3f38397eba77fa908874fc688fdb3d7d787cf2ecc92e11e1e9331acabd277bc7f7ee3fdbd9bff78046f1f4e1b3270ceede936707f79e3d78f0f4e1c393d383e3fdfbfbf73edd7ff6e9d3d3bdfddd7bbb4f08456976f2e4fede937b4f77ef9d1e3fbc77eff4c1e9dece8393873b0f3ffdf478f7ded383e31369f6f4d9bd87bb4ff61f3cfdf494fe77fff4e9c33d1af683dde39dd34fef1d9cee1d73339aa5ddddfd87f79eed1d3ca1a97878faece993d393270f3f3da1160ff7efeded3ffa14cdf6f6ee1f9cde3bb9b7ffe4e1d3ddbd4f4f1fee9c3cb8fff0c9938784cea7279fde13faee3f7bb0bbf3e0ded3e327cfee3ffd74efc9a734d8dd9d83bd67fb07f74ef7778e8fef337defef12dc7bc44df71f3ebc47487ffaf4d9cea74f771eeedd7b76effece1e61c7b8dddfdfdf3b797aff00f0ee3f20b2eede7ff6708fa6f93ecde1139a63a1db7d747472b0f7e9d3834fefdf279e20f4f63f059f3c78b6777aefe9fda7d2ece1ceb3074f4f4e1eec3cf9f4defea7fbc7a734cb44fb7b279fee3fdd7b70b0fbe9a33d46eee1c1a7a7c7f7eeed9f7cfae0607fefd9a73455f74ff70e9eed3fbc7ffaecd3fb270702eee9c9fefee9a77bc79f12af1eecef9f9c3e79fa94fe7ef0e9c393a7e06c9a7c6af6e9ee3322efb3fbbb34fa8393e30734c8673bf77768203b34ba83877bc2e69f3edc3bf9f464efe4deeeeedee9fd03e2c4fbcf9e7e7a7c7aef806688a8754f84e6d32727bb4ff6ee3fdd3d79f894d8f0e0de8393a79f125d4e9eecdfdf2366b827b87dfa74ef805e7e7272efe9e9b3e3939367bbf788140ff630ea9353c2f444a09d9e1c936c1e3f7d4a442372ec7e7a40b376ef606fe71ef1170df9290fe1c1fe931d921ae2937bfb27bb9f9eee7cba73eff8c9e9fec983079f9e9e3e7970ffe4d13eb7fbf4d993a70f9fdc7b704ca3be7ff0ecc1dec983273b4f7677770f8e1fdebf77ff0981032f3d3878ba7342f4dcdd39bef7e993a7bb249e9f3e7d422cbefbe9318defdea7cf78100f48ad7c7a7af0ec64e7c983e3672433243aa7c77b3407f76970273ba7a78feea3d9b383bd27c4fcc7f4ff9d27c46544a307079f3ea119d9bdf7e401491d8ff560e7c1dee983277bbbc446f79e3e3938b97ff0e0fec1930734ddc4243468e1a583fbfbc7c7a7d4d3eefde39dfdd3839367fbbb4f1ed20c1e3c39d83b38dd3d7df8681fcd3e7db6f78438617f77fff4f8094d1d29076284d31312d59d7bbbc4c34cb983837d12d09387bbcf200e3411245aa459ee3d7d76ffe4d3873bc77b4439347bb2b3f780e4f3e421217eb2f7ece983e3270fee51934f1f1089779e3eb92fb811390f4e49d68f1f7e4af2\"`"}},"sourceLanguage":"json"}}}],"properties":{"tags":["Implementation.Privacy.Token"],"DevSkimSeverity":"Important","DevSkimConfidence":"Medium"}}],"columnKind":"utf16CodeUnits"}]}

(Truncated to last 4000 characters out of 313712)

❌ REPOSITORY / grype - 67 errors

(7th)   < 0.1  
minimatch             9.0.5      9.0.7     npm   GHSA-23c5-xmqv-rm74  High      < 0.1% (7th)   < 0.1  
glob                  10.4.5     10.5.0    npm   GHSA-5j98-mcp5-4vw2  High      < 0.1% (7th)   < 0.1  
js-yaml               3.14.1     3.14.2    npm   GHSA-mh29-5h37-fv8m  Medium    < 0.1% (10th)  < 0.1  
js-yaml               4.1.0      4.1.1     npm   GHSA-mh29-5h37-fv8m  Medium    < 0.1% (10th)  < 0.1  
lodash                4.17.21    4.17.23   npm   GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (8th)   < 0.1  
lodash-es             4.17.21    4.17.23   npm   GHSA-xxjr-mmjv-4gpg  Medium    < 0.1% (8th)   < 0.1  
qs                    6.14.0     6.14.2    npm   GHSA-w7fw-mjwx-w883  Low       < 0.1% (15th)  < 0.1  
multer                2.0.2      2.1.0     npm   GHSA-v52c-386h-88mc  High      < 0.1% (5th)   < 0.1  
multer                2.0.2      2.1.0     npm   GHSA-xf7r-hgr6-v32p  High      < 0.1% (5th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-vrm6-8vpv-qv8q  High      < 0.1% (5th)   < 0.1  
lodash                4.17.21    4.18.0    npm   GHSA-f23m-r3pf-42rh  Medium    < 0.1% (7th)   < 0.1  
lodash                4.17.23    4.18.0    npm   GHSA-f23m-r3pf-42rh  Medium    < 0.1% (7th)   < 0.1  
lodash-es             4.17.21    4.18.0    npm   GHSA-f23m-r3pf-42rh  Medium    < 0.1% (7th)   < 0.1  
undici                6.14.1     6.21.2    npm   GHSA-cxrh-j4jr-qwg3  Low       < 0.1% (14th)  < 0.1  
picomatch             2.3.1      2.3.2     npm   GHSA-c2c7-rcm5-vvqj  High      < 0.1% (5th)   < 0.1  
picomatch             4.0.1      4.0.4     npm   GHSA-c2c7-rcm5-vvqj  High      < 0.1% (5th)   < 0.1  
brace-expansion       1.1.11     1.1.13    npm   GHSA-f886-m6hf-6m8v  Medium    < 0.1% (6th)   < 0.1  
brace-expansion       2.0.1      2.0.3     npm   GHSA-f886-m6hf-6m8v  Medium    < 0.1% (6th)   < 0.1  
brace-expansion       5.0.4      5.0.5     npm   GHSA-f886-m6hf-6m8v  Medium    < 0.1% (6th)   < 0.1  
undici                6.14.1     6.23.0    npm   GHSA-g9mf-h72j-4rw9  Medium    < 0.1% (5th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-phc3-fgpg-7m6h  Medium    < 0.1% (5th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-2mjp-6q6p-2qxm  Medium    < 0.1% (4th)   < 0.1  
serialize-javascript  6.0.1      7.0.5     npm   GHSA-qj8w-gfj5-8c6v  Medium    < 0.1% (5th)   < 0.1  
ajv                   8.12.0     8.18.0    npm   GHSA-2g4f-4pwh-qvx6  Medium    < 0.1% (3rd)   < 0.1  
jws                   3.2.2      3.2.3     npm   GHSA-869p-cjfg-cm3x  High      < 0.1% (1st)   < 0.1  
@nestjs/core          10.4.22    11.1.18   npm   GHSA-36xv-jgw5-4q75  Medium    < 0.1% (2nd)   < 0.1  
diff                  4.0.2      4.0.4     npm   GHSA-73rr-hh4g-fpgx  Low       < 0.1% (5th)   < 0.1  
undici                6.14.1     6.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
undici                6.23.0     6.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
undici                7.22.0     7.24.0    npm   GHSA-4992-7rv2-5pvq  Medium    < 0.1% (1st)   < 0.1  
webpack               5.97.1     5.104.0   npm   GHSA-38r7-794h-5758  Low       < 0.1% (1st)   < 0.1  
webpack               5.97.1     5.104.1   npm   GHSA-8fgc-7cc6-rx7x  Low       < 0.1% (1st)   < 0.1  
serialize-javascript  6.0.1      7.0.3     npm   GHSA-5c6j-r48x-rmvq  High      N/A            N/A    
follow-redirects      1.15.9     1.16.0    npm   GHSA-r4q5-vmmm-2653  Medium    N/A            N/A
[0058] ERROR discovered vulnerabilities at or above the severity threshold

(Truncated to last 4000 characters out of 7219)

❌ REPOSITORY / kics - 56 errors

Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


	[4]: .devcontainer/Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


	[5]: .devcontainer/Dockerfile:4

		003: # [Optional] Uncomment this section to install additional OS packages.
		004: RUN apt-get update && export DEBIAN_FRONTEND=noninteractive     && apt-get -y install --no-install-recommends silversearcher-ag httpie     && apt-get clean -y && rm -rf /var/lib/apt/lists/*;
		005: 


Passwords And Secrets - Password in URL, Severity: HIGH, Results: 3
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:95

		094:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		095:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper
		096:           NODE_ENV: production


	[2]: .devcontainer/docker-compose.yml:24

		023:     environment:
		024:       - DATABASE_URL=<SECRET-MASKED-ON-PURPOSE>:5432/postgres
		025: 


	[3]: .github/workflows/ci.yml:89

		088:         env:
		089:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper
		090:       - name: Run the server 🚀


Passwords And Secrets - Generic Secret, Severity: HIGH, Results: 2
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .github/workflows/ci.yml:94

		093:           PORT: 3000
		094:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		095:           DATABASE_URL: <SECRET-MASKED-ON-PURPOSE>:${{ job.services.postgres.ports['5432'] }}/sharper


	[2]: .github/workflows/ci.yml:33

		032:         env:
		033:           SECRET: <SECRET-MASKED-ON-PURPOSE>
		034:       - name: Report test results 📝


Passwords And Secrets - Generic Password, Severity: HIGH, Results: 2
Description: Query to find passwords and secrets in infrastructure code.
Platform: Common
CWE: 798
Risk Score: 7.8
Learn more about this vulnerability: https://docs.kics.io/latest/queries/common-queries/a88baa34-e2ad-44ea-ad6f-8cac87bc7c71

	[1]: .devcontainer/docker-compose.yml:32

		031:     environment:
		032:       POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		033:       POSTGRES_USER: postgres


	[2]: .github/workflows/ci.yml:63

		062:           POSTGRES_USER: armband
		063:           POSTGRES_PASSWORD: <SECRET-MASKED-ON-PURPOSE>
		064:           POSTGRES_DB: sharper


Missing User Instruction, Severity: HIGH, Results: 2
Description: Always set a user in the runtime stage of your Dockerfile. Without it, the container defaults to root, even if earlier build stages define a user.
Platform: Dockerfile
CWE: 250
Risk Score: 7.7
Learn more about this vulnerability: https://docs.kics.io/latest/queries/dockerfile-queries/fd54f200-402c-4333-a5a4-36ef6709af2f

	[1]: Dockerfile:33

		032: 
		033: FROM gcr.io/distroless/nodejs22-debian12:nonroot
		034: 


	[2]: .devcontainer/Dockerfile:1

		001: FROM mcr.microsoft.com/devcontainers/javascript-node:1-18-bullseye
		002: 
		003: # [Optional] Uncomment this section to install additional OS packages.



Results Summary:
CRITICAL: 0
HIGH: 9
MEDIUM: 21
LOW: 24
INFO: 2
TOTAL: 56

A new version 'v2.1.20' of KICS is available, please consider updating

(Truncated to last 4000 characters out of 17401)

❌ REPOSITORY / kingfisher - 1 error

New Kingfisher release 1.99.0 available
 INFO kingfisher: Launching with 8 concurrent scan jobs. Use --num-jobs to override.
 INFO kingfisher::rule_loader: Loaded 453 rules
 INFO kingfisher::scanner::runner: Starting secret validation phase...
POSTGRES URL WITH HARDCODED PASSWORD => [KINGFISHER.POSTGRES.1]
 |Finding.......: [REDACTED:ba5d939f]
 |Fingerprint...: 2034115162828868254
 |Confidence....: medium
 |Entropy.......: 3.87
 |Validation....: Inactive Credential
 |__Response....: Postgres connection failed.
 |Language......: YAML
 |Line Num......: 24
 |Path..........: ./.devcontainer/docker-compose.yml


==========================================
Scan Summary:
==========================================
 |Findings....................: 1
 |__Successful Validations....: 0
 |__Failed Validations........: 1
 |__Skipped Validations.......: 0
 |Rules Applied...............: 453
 |__Blobs Scanned.............: 286
 |Bytes Scanned...............: 7.75 MiB
 |Scan Duration...............: 351ms 933us 253ns
 |Scan Date...................: 2026-05-12 11:57:44 +00:00
 |Kingfisher Version..........: 1.84.0
 |__Latest Version............: 1.99.0
New Kingfisher release 1.99.0 available

❌ SPELL / lychee - 1 error

[403] https://www.npmjs.com/support | Network error: Forbidden
📝 Summary
---------------------
🔍 Total............4
✅ Successful.......1
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........2
❓ Unknown..........0
🚫 Errors...........1

Errors in pnpm-lock.yaml
[403] https://www.npmjs.com/support | Network error: Forbidden

❌ REPOSITORY / secretlint - 1 error

.devcontainer/docker-compose.yml
  24:21  error  [PostgreSQLConnection] found PostgreSQL connection string: ****************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

.github/workflows/ci.yml
  89:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string
  95:24  error  [PostgreSQLConnection] found PostgreSQL connection string: *************************************************  @secretlint/secretlint-rule-preset-recommend > @secretlint/secretlint-rule-database-connection-string

✖ 3 problems (3 errors, 0 warnings, 0 infos)

❌ YAML / yamllint - 4 errors

pnpm-lock.yaml
  1:1       warning  missing document start "---"  (document-start)
  37:501    error    line too long (545 > 500 characters)  (line-length)
  10143:501 error    line too long (537 > 500 characters)  (line-length)
  10278:501 error    line too long (584 > 500 characters)  (line-length)

⚠️ JSON / prettier - 1 error

[error] Cannot find package 'prettier-plugin-toml' imported from noop.js

⚠️ REPOSITORY / trivy - 1 error

┤        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2024-38372 │ LOW      │        │                   │ 6.19.2                                                  │ Undici vulnerable to data leak when using                    │
│                 │                │          │        │                   │                                                         │ response.arrayBuffer()                                       │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2024-38372                   │
│                 ├────────────────┤          │        │                   ├─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│                 │ CVE-2025-47279 │          │        │                   │ 5.29.0, 6.21.2, 7.5.0                                   │ undici: Undici Memory Leak with Invalid Certificates         │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2025-47279                   │
├─────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────────────────────────────────────────┼──────────────────────────────────────────────────────────────┤
│ uuid            │ CVE-2026-41907 │ MEDIUM   │        │ 11.1.0            │ 11.1.1, 12.0.1, 13.0.1                                  │ uuid: uuid: Out-of-bounds write vulnerability impacts data   │
│                 │                │          │        │                   │                                                         │ integrity and confidentiality                                │
│                 │                │          │        │                   │                                                         │ https://avd.aquasec.com/nvd/cve-2026-41907                   │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────────────────────────────────────────┴──────────────────────────────────────────────────────────────┘

.devcontainer/Dockerfile (dockerfile)
=====================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds-0002
────────────────────────────────────────


DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds-0026
────────────────────────────────────────



Dockerfile (dockerfile)
=======================
Tests: 27 (SUCCESSES: 26, FAILURES: 1)
Failures: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds-0002
────────────────────────────────────────



📣 Notices:
  - Version 0.70.0 of Trivy is now available, current version is 0.69.1

To suppress version checks, run Trivy scans with the --skip-version-check flag

(Truncated to last 4000 characters out of 28692)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

Show us your support by starring ⭐ the repository

[kodiakhq]

This PR currently has a merge conflict. Please resolve this and then re-add the automerge label.