Conversation
Bumps [advanced-security/filter-sarif](https://github.com/advanced-security/filter-sarif) from 1.0.1 to 1.1. - [Release notes](https://github.com/advanced-security/filter-sarif/releases) - [Commits](advanced-security/filter-sarif@f3b8118...2da736f) --- updated-dependencies: - dependency-name: advanced-security/filter-sarif dependency-version: '1.1' dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
jeffwidman
added a commit
to dependabot/dependabot-core
that referenced
this pull request
Mar 16, 2026
…ents
When a pinned SHA has multiple version tags (e.g. v1, v1.0, v1.0.1),
the version comment update logic used .find to pick the first tag whose
version string was a suffix of the comment. Because tags are sorted
ascending, this could pick a short version like "1" that is a substring
of the actual comment version "1.0.1". The subsequent gsub("1", "1.1")
then mangled the entire comment, e.g. "# v1.0.1" became "# v1.1.0.1.1".
Fix by selecting the longest (most specific) matching version string
instead of the first match. This ensures gsub replaces the correct
substring.
Fixes an issue observed in cli/cli#12918 where
the comment was incorrectly updated to "# v1.1.0.1.1" instead of
"# v1.1".
jeffwidman
added a commit
to dependabot/dependabot-core
that referenced
this pull request
Mar 17, 2026
…ents
When a pinned SHA has multiple version tags (e.g. v1, v1.0, v1.0.1),
the version comment update logic used .find to pick the first tag whose
version string was a suffix of the comment. Because tags are sorted
ascending, this could pick a short version like "1" that is a substring
of the actual comment version "1.0.1". The subsequent gsub("1", "1.1")
then mangled the entire comment, e.g. "# v1.0.1" became "# v1.1.0.1.1".
Fix by selecting the longest (most specific) matching version string
instead of the first match. This ensures gsub replaces the correct
substring.
Fixes an issue observed in cli/cli#12918 where
the comment was incorrectly updated to "# v1.1.0.1.1" instead of
"# v1.1".
jeffwidman
added a commit
to dependabot/dependabot-core
that referenced
this pull request
Mar 17, 2026
…ents (#14461) When a pinned SHA has multiple version tags (e.g. v1, v1.0, v1.0.1), the version comment update logic used .find to pick the first tag whose version string was a suffix of the comment. Because tags are sorted ascending, this could pick a short version like "1" that is a substring of the actual comment version "1.0.1". The subsequent gsub("1", "1.1") then mangled the entire comment, e.g. "# v1.0.1" became "# v1.1.0.1.1". Fix by selecting the longest (most specific) matching version string instead of the first match. This ensures gsub replaces the correct substring. Fixes an issue observed in cli/cli#12918 where the comment was incorrectly updated to "# v1.1.0.1.1" instead of "# v1.1".
BagToad
approved these changes
Apr 14, 2026
Member
BagToad
left a comment
There was a problem hiding this comment.
Investigated upstream changes (v1.0.1 to v1.1): Adds optional severity input (cli/cli doesn't use it), UTF-8 encoding fix for SARIF I/O. cli/cli's usage (path-pattern filtering of third-party/**) hits the same code path as before. No breaking changes.
Closed
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps advanced-security/filter-sarif from 1.0.1 to 1.1.
Release notes
Sourced from advanced-security/filter-sarif's releases.
Commits
2da736fMerge pull request #17 from advanced-security/copilot/add-severity-filter-optionb82026bRemove [DEBUG] print statements from production codef15e3e4Update action.ymlf74eb20Refactor collect_rule_severities to streamline rule processing and enhance de...da97499Fix severity filter: results no longer incorrectly filtered when level is mis...be31281Initial plan for severity filter bug fix4bddfd6Address code review: use env var for shell safety, fix double stripe304681Add optional severity filter for SARIF alerts36dc0ceInitial plan59d0a64Merge pull request #14 from aibaars/patch-1You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)