From e84c66148a215ad47bde0828cddf36b3bc58702d Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Wed, 13 Aug 2025 12:20:09 -0400
Subject: [PATCH 01/41] Document the release workflow steps

---
 docs/CONTRIBUTING.md | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index 7b8ee11..eb8d46d 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -10,4 +10,7 @@ https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contr
 
 From a clean working copy, run `npm version major|minor|patch|VERSION`.
 This will bump the package version, commit, tag, and push.
-The tag-push event triggers the release workflow on GitHub.
+
+The tag-push event triggers the release workflow on GitHub, which creates a
+GitHub Release for the tag. It also (when applicable) publishes to npm and
+opens a pull request to bump the corresponding formula in its Homebrew tap.

From d7b017dea9e3280021d2b02284f1931eee44030d Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 22 Aug 2025 16:34:53 -0400
Subject: [PATCH 02/41] Update SECURITY vulnerability reporting

---
 docs/SECURITY.md | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/docs/SECURITY.md b/docs/SECURITY.md
index 313764e..57fb30b 100644
--- a/docs/SECURITY.md
+++ b/docs/SECURITY.md
@@ -4,14 +4,14 @@ It may be overridden by a repo-specific security policy.
 https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file
 -->
 
-# Security Policy
+# Security Policy 🛡️
 
-## Supported Versions ✅
+## ✅ Supported Versions
 
 Only the greatest published version (according to SemVer) will be supported.
 This version will be indicated as the "Latest Release" on GitHub Releases. :octocat:
 
-## Reporting a Vulnerability ⚠️
+## ⚠️ Reporting a Vulnerability
 
 Use GitHub's built-in reporting mechanism for disclosure.
-Go to the repository's Security tab -> Advisories -> New draft security advisory.
+Go to the Security tab -> Report a vulnerability.

From 1309883d2412596270708bce039139cc7c0a1776 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 22 Aug 2025 19:19:30 -0400
Subject: [PATCH 03/41] Update CODE_OF_CONDUCT maintainers

---
 docs/CODE_OF_CONDUCT.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/docs/CODE_OF_CONDUCT.md b/docs/CODE_OF_CONDUCT.md
index 05699e2..a8c4666 100644
--- a/docs/CODE_OF_CONDUCT.md
+++ b/docs/CODE_OF_CONDUCT.md
@@ -136,3 +136,9 @@ at [https://www.contributor-covenant.org/translations][translations].
 [Mozilla CoC]: https://github.com/mozilla/diversity
 [FAQ]: https://www.contributor-covenant.org/faq
 [translations]: https://www.contributor-covenant.org/translations
+
+## Project Maintainers
+
+- Will McKenzie <<willmckenzie@oinutter.co.uk>>
+- Jason Karns <<jason.karns@gmail.com>>
+- Josh Hagins <<hagins.josh@gmail.com>>

From 1e2b4d8862ef893bccd572c9306bc2a88cad613c Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Mon, 25 Aug 2025 13:23:08 -0400
Subject: [PATCH 04/41] Superlinter should ignore node_modules

---
 .github/workflows/test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 897daf7..6c06d2c 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -42,6 +42,7 @@ jobs:
         env:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug
+          FILTER_REGEX_EXCLUDE: node_modules
           VALIDATE_JSCPD: false # jscpd is false-positive prone and generally not useful
 
   dependency-review:

From e40addd94765360d17be9e8556c950b976817234 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 26 Aug 2025 07:41:10 +0000
Subject: [PATCH 05/41] Bump mislav/bump-homebrew-formula-action from 3.4 to
 3.5

Bumps [mislav/bump-homebrew-formula-action](https://github.com/mislav/bump-homebrew-formula-action) from 3.4 to 3.5.
- [Release notes](https://github.com/mislav/bump-homebrew-formula-action/releases)
- [Commits](https://github.com/mislav/bump-homebrew-formula-action/compare/8e2baa47daaa8db10fcdeb04105dfa6850eb0d68...37c544ffe02cc3f4eb1987db8fa63c96e0b37098)

---
updated-dependencies:
- dependency-name: mislav/bump-homebrew-formula-action
  dependency-version: '3.5'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index a951f86..4250f09 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,7 +49,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: mislav/bump-homebrew-formula-action@8e2baa47daaa8db10fcdeb04105dfa6850eb0d68 # v3.4
+      - uses: mislav/bump-homebrew-formula-action@37c544ffe02cc3f4eb1987db8fa63c96e0b37098 # v3.5
         with:
           homebrew-tap: ${{ contains(fromJSON('["nodenv","node-build"]'),
             github.event.repository.name)

From 32b11f0dfb6bdda507000aad1d33459180f07c51 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 2 Sep 2025 06:27:01 +0000
Subject: [PATCH 06/41] Bump actions/checkout from 4.2.2 to 5.0.0

Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.2 to 5.0.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/11bd71901bbe5b1630ceea73d27597364c9af683...08c6903cd8c0fde910a37f88322edcfb5dd907a8)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml             | 4 ++--
 .github/workflows/sync-default-branch.yml | 2 +-
 .github/workflows/sync-major-version.yml  | 2 +-
 .github/workflows/test.yml                | 8 ++++----
 4 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 4250f09..3f40b3d 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,7 +31,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       # TODO exit this job differently than success if release already exists
       - name: gh release create
         run: |
@@ -64,7 +64,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with: # FIXME https://github.com/actions/setup-node/pull/129
           scope: ${{ inputs.npm_scope }}
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index bd18ffc..a296785 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -10,5 +10,5 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: git push --force origin HEAD:refs/heads/master
diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml
index efa7a9e..486e7ef 100644
--- a/.github/workflows/sync-major-version.yml
+++ b/.github/workflows/sync-major-version.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       # FIXME pushes branch instead of tag because github bug:
       # https://github.com/orgs/community/discussions/163366
       - run: git push -f origin "HEAD:refs/heads/${GITHUB_REF_NAME%%.*}"
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 6c06d2c..057f712 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: npm cit
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -36,7 +36,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: { fetch-depth: 0 }
       - uses: super-linter/super-linter/slim@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0
         env:
@@ -51,7 +51,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
 
   ossf-scorecard:
@@ -61,7 +61,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
         with:
           results_file: ossf-scorecard-results.sarif

From fae79e525b0032dbefd348f47a08c55081337697 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Mon, 8 Sep 2025 10:51:58 -0400
Subject: [PATCH 07/41] Update CONTRIBUTING.md

---
 docs/CONTRIBUTING.md | 53 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/docs/CONTRIBUTING.md b/docs/CONTRIBUTING.md
index eb8d46d..b617b01 100644
--- a/docs/CONTRIBUTING.md
+++ b/docs/CONTRIBUTING.md
@@ -6,6 +6,59 @@ https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contr
 
 # Contributing
 
+## Rbenv Tags Git Configuration
+
+Many repositories in the nodenv organization are forks from the rbenv
+ecosystem. To support pulling changes from the upstream rbenv repository into
+nodenv, it is necessary to add rbenv as a Git remote. However, this adds some
+complication because (by default), Git tags for nodenv and rbenv will collide.
+(ie, rbenv's `v1.0.0` tag conflicts with nodenv's `v1.0.0`) Additionally,
+having rbenv's tags exist locally introduces complications to the release
+process: `git push --follow-tags` would push rbenv's tags to nodenv's `origin`
+remote.
+
+The following special Git configuration avoids these and other headaches while
+still allowing `origin` to be pushed using `--tags` or `--follow-tags`
+options—without the risk of pushing rbenv's tags into nodenv's tagspace. The
+configuration assumes nodenv's remote is `origin`, and rbenv's remote is
+`rbenv`.
+
+1. Configure rbenv to not fetch tags by default:
+
+```console
+git config remote.rbenv.tagOpt --no-tags
+```
+
+2. Fetch rbenv's tags to their own refspec namespace (`rbtags`, in this case):
+
+```console
+git config --add remote.rbenv.fetch '+refs/tags/*:refs/rbtags/*'
+```
+
+> [!WARNING]
+> The `--tags` option to `fetch` et. al. will override this setting.
+
+Resulting snippet in `.git/config`:
+
+```gitconfig
+[remote "origin"]
+    url = git@github.com:nodenv/nodenv.git
+    fetch = +refs/heads/*:refs/remotes/origin/*
+[remote "rbenv"]
+    url = git@github.com:rbenv/rbenv.git
+    fetch = +refs/heads/*:refs/remotes/rbenv/*
+    fetch = +refs/tags/*:refs/rbtags/*
+    tagopt = --no-tags
+```
+
+To reference rbenv's tags, use the fully qualified refspec: `refs/rbtags/vX.Y.Z`
+
+```console
+git show refs/rbtags/v1.1.2
+git checkout refs/rbtags/v1.1.2
+git merge refs/rbtags/v1.1.2
+```
+
 ## Releasing
 
 From a clean working copy, run `npm version major|minor|patch|VERSION`.

From 0c32cccd144f36d7257e219f53340c3638d5a23f Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Sep 2025 19:49:30 +0000
Subject: [PATCH 08/41] Bump step-security/harden-runner from 2.13.0 to 2.13.1

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.0 to 2.13.1.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/ec9f2d5744a09debf3a187a3f4f675c53b671911...f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.13.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml             | 6 +++---
 .github/workflows/sync-default-branch.yml | 2 +-
 .github/workflows/sync-major-version.yml  | 2 +-
 .github/workflows/test.yml                | 8 ++++----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3f40b3d..396eff5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       # TODO exit this job differently than success if release already exists
@@ -47,7 +47,7 @@ jobs:
     permissions: { contents: read }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: mislav/bump-homebrew-formula-action@37c544ffe02cc3f4eb1987db8fa63c96e0b37098 # v3.5
         with:
@@ -62,7 +62,7 @@ jobs:
     permissions: { id-token: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index a296785..d1dc17d 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -8,7 +8,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: git push --force origin HEAD:refs/heads/master
diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml
index 486e7ef..418b557 100644
--- a/.github/workflows/sync-major-version.yml
+++ b/.github/workflows/sync-major-version.yml
@@ -9,7 +9,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       # FIXME pushes branch instead of tag because github bug:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 057f712..4d9b386 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,7 +22,7 @@ jobs:
       fail-fast: false
       matrix: { os: [ubuntu-latest, macOS-latest] }
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: npm cit
@@ -34,7 +34,7 @@ jobs:
     permissions: { contents: read, packages: read, statuses: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: { fetch-depth: 0 }
@@ -49,7 +49,7 @@ jobs:
     if: startsWith('pull_request', github.event_name)
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
@@ -59,7 +59,7 @@ jobs:
     permissions: { id-token: write, security-events: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
+      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2

From 66499193ba00437d040f4dafd68d5fd4c6de4244 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 6 Oct 2025 17:09:21 +0000
Subject: [PATCH 09/41] Bump mislav/bump-homebrew-formula-action from 3.5 to
 3.6

Bumps [mislav/bump-homebrew-formula-action](https://github.com/mislav/bump-homebrew-formula-action) from 3.5 to 3.6.
- [Release notes](https://github.com/mislav/bump-homebrew-formula-action/releases)
- [Commits](https://github.com/mislav/bump-homebrew-formula-action/compare/37c544ffe02cc3f4eb1987db8fa63c96e0b37098...56a283fa15557e9abaa4bdb63b8212abc68e655c)

---
updated-dependencies:
- dependency-name: mislav/bump-homebrew-formula-action
  dependency-version: '3.6'
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 3f40b3d..592a8c5 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -49,7 +49,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@ec9f2d5744a09debf3a187a3f4f675c53b671911 # v2.13.0
         with: { egress-policy: audit }
-      - uses: mislav/bump-homebrew-formula-action@37c544ffe02cc3f4eb1987db8fa63c96e0b37098 # v3.5
+      - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6
         with:
           homebrew-tap: ${{ contains(fromJSON('["nodenv","node-build"]'),
             github.event.repository.name)

From 7760809851ec73c4fbb7e4b8d2d7cfd4ac153d14 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 18:21:05 +0000
Subject: [PATCH 10/41] Bump actions/upload-artifact from 4.6.2 to 5.0.0

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.6.2 to 5.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/ea165f8d65b6e75b540449e92b4886f43607fa02...330a01c490aca151604b8cf639adc76d48f6c5d4)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 5.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4d9b386..20b92c1 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -67,7 +67,7 @@ jobs:
           results_file: ossf-scorecard-results.sarif
           results_format: sarif
           publish_results: true
-      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
         with:
           name: ossf-scorecard-results.sarif
           path: ossf-scorecard-results.sarif

From 8da8c540a15b14b405cd55d59c858a68e7760699 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 24 Nov 2025 18:21:28 +0000
Subject: [PATCH 11/41] Bump step-security/harden-runner from 2.13.1 to 2.13.2

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.1 to 2.13.2.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a...95d9a5deda9de15063e7595e9719c11c38c90ae2)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.13.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml             | 6 +++---
 .github/workflows/sync-default-branch.yml | 2 +-
 .github/workflows/sync-major-version.yml  | 2 +-
 .github/workflows/test.yml                | 8 ++++----
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 515b3ac..3f1557a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -29,7 +29,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       # TODO exit this job differently than success if release already exists
@@ -47,7 +47,7 @@ jobs:
     permissions: { contents: read }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6
         with:
@@ -62,7 +62,7 @@ jobs:
     permissions: { id-token: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index d1dc17d..ef8eb47 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -8,7 +8,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: git push --force origin HEAD:refs/heads/master
diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml
index 418b557..4daf244 100644
--- a/.github/workflows/sync-major-version.yml
+++ b/.github/workflows/sync-major-version.yml
@@ -9,7 +9,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       # FIXME pushes branch instead of tag because github bug:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 4d9b386..7401ef4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,7 +22,7 @@ jobs:
       fail-fast: false
       matrix: { os: [ubuntu-latest, macOS-latest] }
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - run: npm cit
@@ -34,7 +34,7 @@ jobs:
     permissions: { contents: read, packages: read, statuses: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: { fetch-depth: 0 }
@@ -49,7 +49,7 @@ jobs:
     if: startsWith('pull_request', github.event_name)
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
@@ -59,7 +59,7 @@ jobs:
     permissions: { id-token: write, security-events: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@f4a75cfd619ee5ce8d5b864b0d183aff3c69b55a # v2.13.1
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2

From c8f6534fbd2e6b9f35c1cd30978bb78a78d91390 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Wed, 3 Dec 2025 13:12:08 -0500
Subject: [PATCH 12/41] Remove NPMJS_TOKEN from release workflow

NODE_AUTH_TOKEN should no longer be necessary when using npm's Trusted Publisher setup.
---
 .github/workflows/release.yml | 3 ---
 1 file changed, 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 515b3ac..bec269e 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -20,7 +20,6 @@ on:
         required: false
         type: string
     secrets:
-      NPMJS_TOKEN: { required: true } # required for npm job
       BOT_TOKEN: { required: false } # required for homebrew job
 
 permissions: {}
@@ -71,5 +70,3 @@ jobs:
           registry-url: https://registry.npmjs.org
       - run: npm ci
       - run: npm publish --provenance
-        env:
-          NODE_AUTH_TOKEN: ${{ secrets.NPMJS_TOKEN }}

From efe6ae0024356d995ac50cea50d3ed36be526b65 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Thu, 4 Dec 2025 08:31:25 -0500
Subject: [PATCH 13/41] Bump release workflow to use node 24 to ensure npm
 11.5.1

---
 .github/workflows/release.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index bec269e..ab34692 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -68,5 +68,6 @@ jobs:
         with: # FIXME https://github.com/actions/setup-node/pull/129
           scope: ${{ inputs.npm_scope }}
           registry-url: https://registry.npmjs.org
+          node-version: 24 # Trusted Publishing requires npm v11.5.1+; node 24 bundles a sufficient version
       - run: npm ci
-      - run: npm publish --provenance
+      - run: npm publish

From 771553d223a210a11f9eeb8a4f62384d2a6a09bf Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Thu, 4 Dec 2025 13:37:37 +0000
Subject: [PATCH 14/41] Bump ossf/scorecard-action from 2.4.2 to 2.4.3

Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.4.2 to 2.4.3.
- [Release notes](https://github.com/ossf/scorecard-action/releases)
- [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md)
- [Commits](https://github.com/ossf/scorecard-action/compare/05b42c624433fc40578a4040d5cf5e36ddca8cde...4eaacf0543bb3f2c246792bd56e8cdeffafb205a)

---
updated-dependencies:
- dependency-name: ossf/scorecard-action
  dependency-version: 2.4.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index d1b8027..f67d7b7 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -62,7 +62,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ossf/scorecard-action@05b42c624433fc40578a4040d5cf5e36ddca8cde # v2.4.2
+      - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: ossf-scorecard-results.sarif
           results_format: sarif

From b6c3b9265d1c2d51ed636cfe911712d48bbf0036 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Mon, 15 Dec 2025 16:51:33 -0500
Subject: [PATCH 15/41] Run superlinter against nodenv repos as part of .github
 tests (#131)

Superlinter continues to make changes that causes failures. But we don't
_know_ about those failures until after we upgrade superlinter in
.github, then release, then upgrade a dependent's reference to .github.

So let's try pre-emptively running superlinter against our repos
_before_ upgrading. So we can catch problems before we cut a release of
.github.
---
 .github/workflows/.github_test.yml | 46 +++++++++++++++++++++++++++++-
 1 file changed, 45 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index c7199eb..a01459e 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -1,7 +1,7 @@
 name: Test
 on:
   pull_request:
-  push: { branches: main }
+  push:
   schedule: [{ cron: "0 0 10 * *" }] # monthly https://crontab.guru/#0_0_10_*_*
   workflow_dispatch:
 permissions: {}
@@ -16,3 +16,47 @@ jobs:
       id-token: write
       security-events: write
       statuses: write
+
+  super-lint:
+    permissions: { contents: read, packages: read, statuses: write }
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        repo:
+          - actions
+          # - homebrew-nodenv
+          - jetbrains-npm
+          # - node-build
+          - node-build-prerelease
+          - node-build-update-defs
+          # - nodenv
+          # - nodenv-aliases
+          - nodenv-default-packages
+          - nodenv-each
+          - nodenv-env
+          - nodenv-installer
+          - nodenv-man
+          - nodenv-npm-migrate
+          # - nodenv-nvmrc
+          # - nodenv-package-json-engine
+          # - nodenv-package-rehash
+          # - nodenv-update
+          - nodenv-vars
+    steps:
+      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+        with: { egress-policy: audit }
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          repository: nodenv/${{ matrix.repo }}
+          persist-credentials: false
+      - uses: super-linter/super-linter/slim@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0
+        env:
+          ### RUN_LOCAL+USE_FIND_ALGORITHM to workaround superlinter
+          RUN_LOCAL: true
+          USE_FIND_ALGORITHM: true
+          ###
+          GITHUB_TOKEN: ${{ github.token }}
+          BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug #5731
+          FILTER_REGEX_EXCLUDE: node_modules
+          VALIDATE_JSCPD: false # prone to false-positives and not worth it

From 222fe50cdd104926beb4aa7a73d8dd685aabc935 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Tue, 16 Dec 2025 09:46:03 -0500
Subject: [PATCH 16/41] Bump actions/dependency-review-action from 4.7.1 to
 4.8.2 (#129)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps
[actions/dependency-review-action](https://github.com/actions/dependency-review-action)
from 4.7.1 to 4.8.2.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/dependency-review-action/releases">actions/dependency-review-action's
releases</a>.</em></p>
<blockquote>
<h2>v4.8.2</h2>
<p>Minor fixes:</p>
<ul>
<li>Fix PURL parsing for scoped packages (<a
href="https://redirect.github.com/actions/dependency-review-action/issues/1008">#1008</a>
from <a
href="https://github.com/danielhardej"><code>@​danielhardej</code></a>)</li>
<li>Fix for large summaries (<a
href="https://redirect.github.com/actions/dependency-review-action/issues/1007">#1007</a>
from <a
href="https://github.com/gitulisca"><code>@​gitulisca</code></a>)</li>
<li>README includes a working example for allow-dependencies-licenses
(<a
href="https://redirect.github.com/actions/dependency-review-action/issues/1009">#1009</a>
from <a
href="https://github.com/danielhardej"><code>@​danielhardej</code></a>)</li>
</ul>
<h2>Dependency Review Action v4.8.1</h2>
<h2>What's Changed</h2>
<ul>
<li>(bug) Fix spamming link test in deprecation warning (again) by <a
href="https://github.com/ahpook"><code>@​ahpook</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1000">actions/dependency-review-action#1000</a></li>
<li>Bump version for 4.8.1 release by <a
href="https://github.com/ahpook"><code>@​ahpook</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/1001">actions/dependency-review-action#1001</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v4...v4.8.1">https://github.com/actions/dependency-review-action/compare/v4...v4.8.1</a></p>
<h2>v4.8.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Make Ruby Code Scannable by <a
href="https://github.com/ljones140"><code>@​ljones140</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/978">actions/dependency-review-action#978</a></li>
<li>Batch some contributions for release by <a
href="https://github.com/brrygrdn"><code>@​brrygrdn</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/986">actions/dependency-review-action#986</a>
<ul>
<li>Make license lists collapsable by <a
href="https://github.com/jasperkamerling"><code>@​jasperkamerling</code></a></li>
<li>feat: add large summary handling with artifact upload by <a
href="https://github.com/MattMencel"><code>@​MattMencel</code></a></li>
</ul>
</li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/ljones140"><code>@​ljones140</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/978">actions/dependency-review-action#978</a></li>
<li><a
href="https://github.com/jasperkamerling"><code>@​jasperkamerling</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/986">actions/dependency-review-action#986</a></li>
<li><a
href="https://github.com/MattMencel"><code>@​MattMencel</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/986">actions/dependency-review-action#986</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v4...v4.8.0">https://github.com/actions/dependency-review-action/compare/v4...v4.8.0</a></p>
<h2>4.7.3</h2>
<h2>What's Changed</h2>
<ul>
<li>Add explicit permissions to workflow files by <a
href="https://github.com/AshelyTC"><code>@​AshelyTC</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/966">actions/dependency-review-action#966</a></li>
<li>Claire153/fix spamming mentioned issue by <a
href="https://github.com/claire153"><code>@​claire153</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/974">actions/dependency-review-action#974</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v4...v4.7.3">https://github.com/actions/dependency-review-action/compare/v4...v4.7.3</a></p>
<h2>4.7.2</h2>
<h2>What's Changed</h2>
<ul>
<li>Add Missing Languages to CodeQL Advanced Configuration by <a
href="https://github.com/KyFaSt"><code>@​KyFaSt</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/945">actions/dependency-review-action#945</a></li>
<li>Deprecate deny lists by <a
href="https://github.com/claire153"><code>@​claire153</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/958">actions/dependency-review-action#958</a></li>
<li>Address discrepancy between docs and reality by <a
href="https://github.com/ahpook"><code>@​ahpook</code></a> in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/960">actions/dependency-review-action#960</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/KyFaSt"><code>@​KyFaSt</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/945">actions/dependency-review-action#945</a></li>
<li><a href="https://github.com/claire153"><code>@​claire153</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/958">actions/dependency-review-action#958</a></li>
<li><a href="https://github.com/ahpook"><code>@​ahpook</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/dependency-review-action/pull/960">actions/dependency-review-action#960</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/dependency-review-action/compare/v4...v4.7.2">https://github.com/actions/dependency-review-action/compare/v4...v4.7.2</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/dependency-review-action/commit/3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261"><code>3c4e3dc</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1016">#1016</a>
from actions/dra-release</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/02930b20720cb37e7293c96576ceb2f02ce79c71"><code>02930b2</code></a>
Update CONTRIBUTING to reflect new guidelines</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/49ffd9f63637913e4278660c97bdd9bac6ecea38"><code>49ffd9f</code></a>
Update CONTRIBUTING to reflect the need to build</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/70cb25ec56c23f6b008aa8cc4dd3a75e22332068"><code>70cb25e</code></a>
4.8.2 release</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/ebabd31cea6586a03e892ca61a418ff50fd4c0ad"><code>ebabd31</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1008">#1008</a>
from danielhardej/danielhardej-patch-20251023</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/19f9360983096b13b12d6095ff298528ffbfe9cf"><code>19f9360</code></a>
Update package-lock.json</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/5fd2f98b4f14a64e9282b091e56b3d23ea8cb6d8"><code>5fd2f98</code></a>
Bump <code>@​types/jest</code> to version 29.5.14</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/28647f4804ba29122df4b83b4bf78c2377efcbb1"><code>28647f4</code></a>
Fix PURL parsing by removing encodeURI</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/f620fd175c123251c10ec99199c434acc0f47438"><code>f620fd1</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/dependency-review-action/issues/1013">#1013</a>
from actions/dangoor/token-fix</li>
<li><a
href="https://github.com/actions/dependency-review-action/commit/9b42b7e9a9f440759477243274165b8398354f4e"><code>9b42b7e</code></a>
Remove bad token reference</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/dependency-review-action/compare/da24556b548a50705dd671f47852072ea4c105d9...3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=actions/dependency-review-action&package-manager=github_actions&previous-version=4.7.1&new-version=4.8.2)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)


</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index f67d7b7..dcc6c6e 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -52,7 +52,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: actions/dependency-review-action@da24556b548a50705dd671f47852072ea4c105d9 # v4.7.1
+      - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
 
   ossf-scorecard:
     if: github.ref_name == github.event.repository.default_branch

From 506d5b5737a29c9125c7fb7c385c4eaf709f5ef7 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Tue, 16 Dec 2025 09:58:46 -0500
Subject: [PATCH 17/41] disable commitlint

---
 .github/workflows/.github_test.yml | 3 ++-
 .github/workflows/test.yml         | 3 ++-
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index a01459e..0357788 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -59,4 +59,5 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug #5731
           FILTER_REGEX_EXCLUDE: node_modules
-          VALIDATE_JSCPD: false # prone to false-positives and not worth it
+          VALIDATE_GIT_COMMITLINT: false # commitlint is bad
+          VALIDATE_JSCPD: false # too prone to false-positives
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index dcc6c6e..78cf0d4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -43,7 +43,8 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug
           FILTER_REGEX_EXCLUDE: node_modules
-          VALIDATE_JSCPD: false # jscpd is false-positive prone and generally not useful
+          VALIDATE_GIT_COMMITLINT: false # commitlint is bad
+          VALIDATE_JSCPD: false # too prone to false-positives
 
   dependency-review:
     if: startsWith('pull_request', github.event_name)

From acae64c13b9b31fc5c27a014e61c9903e9772bda Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Tue, 16 Dec 2025 10:53:23 -0500
Subject: [PATCH 18/41] Tighten dependency-review job from audit to block
 network egress

---
 .github/workflows/test.yml | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 78cf0d4..1027681 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -51,7 +51,12 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
-        with: { egress-policy: audit }
+        with:
+          egress-policy: block
+          allowed-endpoints: >
+            api.github.com:443
+            api.securityscorecards.dev:443
+            github.com:443
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
 

From a47844f41b66b2aa591f985b78306da5dabca60e Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Wed, 17 Dec 2025 13:00:25 -0500
Subject: [PATCH 19/41] Bump superlinter from 8.0 to 8.1 (#132)

---
 .github/workflows/.github_test.yml | 2 +-
 .github/workflows/test.yml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 0357788..09c9058 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -50,7 +50,7 @@ jobs:
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
-      - uses: super-linter/super-linter/slim@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0
+      - uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
         env:
           ### RUN_LOCAL+USE_FIND_ALGORITHM to workaround superlinter
           RUN_LOCAL: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 1027681..68cccee 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -38,7 +38,7 @@ jobs:
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: { fetch-depth: 0 }
-      - uses: super-linter/super-linter/slim@5119dcd8011e92182ce8219d9e9efc82f16fddb6 # v8.0.0
+      - uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
         env:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug

From 001d13c7fa013f8fe3b254e305e21befa177e596 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Wed, 17 Dec 2025 13:55:38 -0500
Subject: [PATCH 20/41] Bump superlinter from 8.1 to 8.2.1

---
 .github/workflows/.github_test.yml | 2 +-
 .github/workflows/test.yml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 09c9058..b49bdaa 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -50,7 +50,7 @@ jobs:
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
-      - uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
+      - uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
         env:
           ### RUN_LOCAL+USE_FIND_ALGORITHM to workaround superlinter
           RUN_LOCAL: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 68cccee..cee2e69 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -38,7 +38,7 @@ jobs:
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: { fetch-depth: 0 }
-      - uses: super-linter/super-linter/slim@ffde3b2b33b745cb612d787f669ef9442b1339a6 # v8.1.0
+      - uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
         env:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug

From b7cebf00187647ac06e0fcca5f5ea3b4af87fb4c Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Wed, 17 Dec 2025 14:00:43 -0500
Subject: [PATCH 21/41] disable super-linter biome

---
 .github/workflows/.github_test.yml | 2 ++
 .github/workflows/test.yml         | 2 ++
 2 files changed, 4 insertions(+)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index b49bdaa..10ee6df 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -59,5 +59,7 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug #5731
           FILTER_REGEX_EXCLUDE: node_modules
+          VALIDATE_BIOME_FORMAT: false # conflicts with prettier
+          VALIDATE_BIOME_LINT: false # conflicts with prettier
           VALIDATE_GIT_COMMITLINT: false # commitlint is bad
           VALIDATE_JSCPD: false # too prone to false-positives
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index cee2e69..ce56851 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -43,6 +43,8 @@ jobs:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug
           FILTER_REGEX_EXCLUDE: node_modules
+          VALIDATE_BIOME_FORMAT: false # conflicts with prettier
+          VALIDATE_BIOME_LINT: false # conflicts with prettier
           VALIDATE_GIT_COMMITLINT: false # commitlint is bad
           VALIDATE_JSCPD: false # too prone to false-positives
 

From d8cc15a132795312f78afccfb6c9eab040b5338c Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Thu, 18 Dec 2025 16:47:28 -0500
Subject: [PATCH 22/41] Secrets aren't needed for these jobs

---
 .github/workflows/.github_release.yml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/.github_release.yml b/.github/workflows/.github_release.yml
index 8956ca9..6e13e9d 100644
--- a/.github/workflows/.github_release.yml
+++ b/.github/workflows/.github_release.yml
@@ -9,9 +9,7 @@ jobs:
     uses: ./.github/workflows/release.yml
     with: { homebrew: false, npm: false }
     permissions: { contents: write, id-token: write }
-    secrets: inherit
 
   sync:
     uses: ./.github/workflows/sync-major-version.yml
     permissions: { contents: write }
-    secrets: inherit

From 52aa6c32abe75868be832d9fa132ac662181857e Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Thu, 18 Dec 2025 16:52:53 -0500
Subject: [PATCH 23/41] Don't persist-creds where unnecessary

---
 .github/workflows/release.yml | 2 ++
 .github/workflows/test.yml    | 5 ++++-
 2 files changed, 6 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 869392f..261effa 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -31,6 +31,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with: { persist-credentials: false }
       # TODO exit this job differently than success if release already exists
       - name: gh release create
         run: |
@@ -64,6 +65,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with: { persist-credentials: false }
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with: # FIXME https://github.com/actions/setup-node/pull/129
           scope: ${{ inputs.npm_scope }}
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index ce56851..3802244 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -25,6 +25,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with: { persist-credentials: false }
       - run: npm cit
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -37,7 +38,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-        with: { fetch-depth: 0 }
+        with: { fetch-depth: 0, persist-credentials: false }
       - uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
         env:
           GITHUB_TOKEN: ${{ github.token }}
@@ -60,6 +61,7 @@ jobs:
             api.securityscorecards.dev:443
             github.com:443
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with: { persist-credentials: false }
       - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
 
   ossf-scorecard:
@@ -70,6 +72,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with: { persist-credentials: false }
       - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: ossf-scorecard-results.sarif

From 1dc4149ee46dc47483b744de1fa060d8186ad5da Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Thu, 18 Dec 2025 16:53:03 -0500
Subject: [PATCH 24/41] Explicitly persist-creds when necessary

---
 .github/workflows/sync-default-branch.yml | 3 +++
 .github/workflows/sync-major-version.yml  | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index ef8eb47..2ec1208 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -11,4 +11,7 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: true # need creds for subsequent git ops
+
       - run: git push --force origin HEAD:refs/heads/master
diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml
index 4daf244..453c775 100644
--- a/.github/workflows/sync-major-version.yml
+++ b/.github/workflows/sync-major-version.yml
@@ -12,6 +12,9 @@ jobs:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+        with:
+          persist-credentials: true # need creds for subsequent git ops
+
       # FIXME pushes branch instead of tag because github bug:
       # https://github.com/orgs/community/discussions/163366
       - run: git push -f origin "HEAD:refs/heads/${GITHUB_REF_NAME%%.*}"

From 64fb773acd26557f11ac98b799404ebf49dfb6c6 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Thu, 18 Dec 2025 17:19:39 -0500
Subject: [PATCH 25/41] Bump superlinter from 8.2.1 to 8.3.1 (#134)

---
 .github/workflows/.github_test.yml | 2 +-
 .github/workflows/test.yml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 10ee6df..2dde35b 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -50,7 +50,7 @@ jobs:
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
-      - uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
+      - uses: super-linter/super-linter/slim@47984f49b4e87383eed97890fe2dca6063bbd9c3 # v8.3.1
         env:
           ### RUN_LOCAL+USE_FIND_ALGORITHM to workaround superlinter
           RUN_LOCAL: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3802244..e39ab6d 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,7 +39,7 @@ jobs:
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: { fetch-depth: 0, persist-credentials: false }
-      - uses: super-linter/super-linter/slim@2bdd90ed3262e023ac84bf8fe35dc480721fc1f2 # v8.2.1
+      - uses: super-linter/super-linter/slim@47984f49b4e87383eed97890fe2dca6063bbd9c3 # v8.3.1
         env:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug

From cdc8bffee894c6e74b9c7dd2ba66827325b01883 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 19 Dec 2025 08:20:39 -0500
Subject: [PATCH 26/41] lint homebrew-nodenv (#136)

---
 .github/workflows/.github_test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 2dde35b..770c862 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -25,7 +25,7 @@ jobs:
       matrix:
         repo:
           - actions
-          # - homebrew-nodenv
+          - homebrew-nodenv
           - jetbrains-npm
           # - node-build
           - node-build-prerelease

From a130e3538e43aa8b2b612ef62573c25b35b256b6 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 19 Dec 2025 08:58:41 -0500
Subject: [PATCH 27/41] lint nodenv-package-rehash (#137)

---
 .github/workflows/.github_test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 770c862..6d0030f 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -40,7 +40,7 @@ jobs:
           - nodenv-npm-migrate
           # - nodenv-nvmrc
           # - nodenv-package-json-engine
-          # - nodenv-package-rehash
+          - nodenv-package-rehash
           # - nodenv-update
           - nodenv-vars
     steps:

From 72a14555e7449d9730e24138088ebc00f1289240 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Fri, 19 Dec 2025 16:05:51 -0500
Subject: [PATCH 28/41] Update .editorconfig to trim trailing whitespace

---
 .editorconfig | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/.editorconfig b/.editorconfig
index 5e41726..bd929bc 100644
--- a/.editorconfig
+++ b/.editorconfig
@@ -4,6 +4,7 @@ root = true
 [*]
 charset = utf-8
 end_of_line = lf
-insert_final_newline = true
 indent_size = 2
 indent_style = space
+insert_final_newline = true
+trim_trailing_whitespace = true

From 8b704851f9dc165503e9210f537567ff66dec219 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Mon, 22 Dec 2025 10:40:55 -0500
Subject: [PATCH 29/41] Unblock dependency-review action (#138)

---
 .github/workflows/test.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index e39ab6d..515b7c3 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -57,6 +57,7 @@ jobs:
         with:
           egress-policy: block
           allowed-endpoints: >
+            api.deps.dev:443
             api.github.com:443
             api.securityscorecards.dev:443
             github.com:443

From 0ed5c19e7dcad556f7df72b6f83856985d069d3a Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Mon, 22 Dec 2025 10:52:30 -0500
Subject: [PATCH 30/41] Lint nodenv-nvmrc

---
 .github/workflows/.github_test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 6d0030f..06dcf88 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -38,7 +38,7 @@ jobs:
           - nodenv-installer
           - nodenv-man
           - nodenv-npm-migrate
-          # - nodenv-nvmrc
+          - nodenv-nvmrc
           # - nodenv-package-json-engine
           - nodenv-package-rehash
           # - nodenv-update

From 3333ce09fb5799147285be59b6a9db4c014af8d8 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Dec 2025 17:10:58 +0000
Subject: [PATCH 31/41] Bump actions/checkout from 5.0.0 to 6.0.1

Bumps [actions/checkout](https://github.com/actions/checkout) from 5.0.0 to 6.0.1.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/08c6903cd8c0fde910a37f88322edcfb5dd907a8...8e8c483db84b4bee98b60c0593521ed34d9990e8)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/.github_test.yml        | 2 +-
 .github/workflows/release.yml             | 4 ++--
 .github/workflows/sync-default-branch.yml | 2 +-
 .github/workflows/sync-major-version.yml  | 2 +-
 .github/workflows/test.yml                | 8 ++++----
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 06dcf88..112d65c 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -46,7 +46,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 261effa..d83804a 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,7 +30,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
       # TODO exit this job differently than success if release already exists
       - name: gh release create
@@ -64,7 +64,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
       - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
         with: # FIXME https://github.com/actions/setup-node/pull/129
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index 2ec1208..334dcb5 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: true # need creds for subsequent git ops
 
diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml
index 453c775..5250847 100644
--- a/.github/workflows/sync-major-version.yml
+++ b/.github/workflows/sync-major-version.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
           persist-credentials: true # need creds for subsequent git ops
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 515b7c3..69d4bf6 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
       - run: npm cit
         env:
@@ -37,7 +37,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { fetch-depth: 0, persist-credentials: false }
       - uses: super-linter/super-linter/slim@47984f49b4e87383eed97890fe2dca6063bbd9c3 # v8.3.1
         env:
@@ -61,7 +61,7 @@ jobs:
             api.github.com:443
             api.securityscorecards.dev:443
             github.com:443
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
       - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
 
@@ -72,7 +72,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
         with: { egress-policy: audit }
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
       - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:

From 6e39c83c64abf6be69bcddab6178a21110bc5a23 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 22 Dec 2025 17:11:09 +0000
Subject: [PATCH 32/41] Bump actions/setup-node from 4.4.0 to 6.1.0

Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.1.0.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](https://github.com/actions/setup-node/compare/49933ea5288caeca8642d1e84afbd3f7d6820020...395ad3262231945c25e8478fd5baf05154b1d79f)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: 6.1.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 261effa..5b45b42 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -66,7 +66,7 @@ jobs:
         with: { egress-policy: audit }
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
         with: { persist-credentials: false }
-      - uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+      - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with: # FIXME https://github.com/actions/setup-node/pull/129
           scope: ${{ inputs.npm_scope }}
           registry-url: https://registry.npmjs.org

From 5d936c04f7d7ccbac210288a7f2bce9137070216 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Dec 2025 17:09:50 +0000
Subject: [PATCH 33/41] Bump actions/upload-artifact from 5.0.0 to 6.0.0

Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 5.0.0 to 6.0.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/330a01c490aca151604b8cf639adc76d48f6c5d4...b7c566a772e6b6bfb58ed0dc250532a479d7789f)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-version: 6.0.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 69d4bf6..8dc3b19 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -79,7 +79,7 @@ jobs:
           results_file: ossf-scorecard-results.sarif
           results_format: sarif
           publish_results: true
-      - uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+      - uses: actions/upload-artifact@b7c566a772e6b6bfb58ed0dc250532a479d7789f # v6.0.0
         with:
           name: ossf-scorecard-results.sarif
           path: ossf-scorecard-results.sarif

From 96cef6fcb668713a64f3c447f9c076d575142962 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 29 Dec 2025 17:10:05 +0000
Subject: [PATCH 34/41] Bump step-security/harden-runner from 2.13.2 to 2.14.0

Bumps [step-security/harden-runner](https://github.com/step-security/harden-runner) from 2.13.2 to 2.14.0.
- [Release notes](https://github.com/step-security/harden-runner/releases)
- [Commits](https://github.com/step-security/harden-runner/compare/95d9a5deda9de15063e7595e9719c11c38c90ae2...20cf305ff2072d973412fa9b1e3a4f227bda3c76)

---
updated-dependencies:
- dependency-name: step-security/harden-runner
  dependency-version: 2.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/.github_test.yml        | 2 +-
 .github/workflows/release.yml             | 6 +++---
 .github/workflows/sync-default-branch.yml | 2 +-
 .github/workflows/sync-major-version.yml  | 2 +-
 .github/workflows/test.yml                | 8 ++++----
 5 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 112d65c..52c2084 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -44,7 +44,7 @@ jobs:
           # - nodenv-update
           - nodenv-vars
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8b58f8b..35da9c4 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -28,7 +28,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
@@ -47,7 +47,7 @@ jobs:
     permissions: { contents: read }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: mislav/bump-homebrew-formula-action@56a283fa15557e9abaa4bdb63b8212abc68e655c # v3.6
         with:
@@ -62,7 +62,7 @@ jobs:
     permissions: { id-token: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index 334dcb5..1c898fa 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -8,7 +8,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml
index 5250847..6f21ee3 100644
--- a/.github/workflows/sync-major-version.yml
+++ b/.github/workflows/sync-major-version.yml
@@ -9,7 +9,7 @@ jobs:
     permissions: { contents: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 69d4bf6..9264e34 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -22,7 +22,7 @@ jobs:
       fail-fast: false
       matrix: { os: [ubuntu-latest, macOS-latest] }
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }
@@ -35,7 +35,7 @@ jobs:
     permissions: { contents: read, packages: read, statuses: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { fetch-depth: 0, persist-credentials: false }
@@ -53,7 +53,7 @@ jobs:
     if: startsWith('pull_request', github.event_name)
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with:
           egress-policy: block
           allowed-endpoints: >
@@ -70,7 +70,7 @@ jobs:
     permissions: { id-token: write, security-events: write }
     runs-on: ubuntu-latest
     steps:
-      - uses: step-security/harden-runner@95d9a5deda9de15063e7595e9719c11c38c90ae2 # v2.13.2
+      - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { persist-credentials: false }

From 6cf9e19d780ca35114d46b5abc12090d9acd49c1 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 5 Jan 2026 17:09:49 +0000
Subject: [PATCH 35/41] Bump github/codeql-action from 3.29.3 to 4.31.9

Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.29.3 to 4.31.9.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/d6bbdef45e766d081b84a2def353b0055f728d3e...5d4e8d1aca955e8d8589aabd499c5cae939e33c7)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-version: 4.31.9
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/test.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 69d4bf6..0d5f215 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -83,6 +83,6 @@ jobs:
         with:
           name: ossf-scorecard-results.sarif
           path: ossf-scorecard-results.sarif
-      - uses: github/codeql-action/upload-sarif@d6bbdef45e766d081b84a2def353b0055f728d3e # v3.29.3
+      - uses: github/codeql-action/upload-sarif@5d4e8d1aca955e8d8589aabd499c5cae939e33c7 # v4.31.9
         with:
           sarif_file: ossf-scorecard-results.sarif

From c3c409349009dee27549e0177f19b9c6510a8c47 Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 12 Jan 2026 21:05:00 +0000
Subject: [PATCH 36/41] Bump super-linter/super-linter from 8.3.1 to 8.3.2

Bumps [super-linter/super-linter](https://github.com/super-linter/super-linter) from 8.3.1 to 8.3.2.
- [Release notes](https://github.com/super-linter/super-linter/releases)
- [Changelog](https://github.com/super-linter/super-linter/blob/main/CHANGELOG.md)
- [Commits](https://github.com/super-linter/super-linter/compare/47984f49b4e87383eed97890fe2dca6063bbd9c3...d5b0a2ab116623730dd094f15ddc1b6b25bf7b99)

---
updated-dependencies:
- dependency-name: super-linter/super-linter
  dependency-version: 8.3.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/.github_test.yml | 2 +-
 .github/workflows/test.yml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 112d65c..8923a9f 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -50,7 +50,7 @@ jobs:
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
-      - uses: super-linter/super-linter/slim@47984f49b4e87383eed97890fe2dca6063bbd9c3 # v8.3.1
+      - uses: super-linter/super-linter/slim@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
         env:
           ### RUN_LOCAL+USE_FIND_ALGORITHM to workaround superlinter
           RUN_LOCAL: true
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 69d4bf6..a395b8b 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,7 +39,7 @@ jobs:
         with: { egress-policy: audit }
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
         with: { fetch-depth: 0, persist-credentials: false }
-      - uses: super-linter/super-linter/slim@47984f49b4e87383eed97890fe2dca6063bbd9c3 # v8.3.1
+      - uses: super-linter/super-linter/slim@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
         env:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug

From 96caf9223dc98e46ad16056a543cea5b218d073c Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Mon, 26 Jan 2026 18:49:51 +0000
Subject: [PATCH 37/41] Bump actions/checkout from 6.0.1 to 6.0.2

Bumps [actions/checkout](https://github.com/actions/checkout) from 6.0.1 to 6.0.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/8e8c483db84b4bee98b60c0593521ed34d9990e8...de0fac2e4500dabe0009e67214ff5f5447ce83dd)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: 6.0.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 .github/workflows/.github_test.yml        | 2 +-
 .github/workflows/release.yml             | 4 ++--
 .github/workflows/sync-default-branch.yml | 2 +-
 .github/workflows/sync-major-version.yml  | 2 +-
 .github/workflows/test.yml                | 8 ++++----
 5 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 36d8c21..f801ab6 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -46,7 +46,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 35da9c4..abb6de2 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -30,7 +30,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { persist-credentials: false }
       # TODO exit this job differently than success if release already exists
       - name: gh release create
@@ -64,7 +64,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { persist-credentials: false }
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with: # FIXME https://github.com/actions/setup-node/pull/129
diff --git a/.github/workflows/sync-default-branch.yml b/.github/workflows/sync-default-branch.yml
index 1c898fa..3aaa2fb 100644
--- a/.github/workflows/sync-default-branch.yml
+++ b/.github/workflows/sync-default-branch.yml
@@ -10,7 +10,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: true # need creds for subsequent git ops
 
diff --git a/.github/workflows/sync-major-version.yml b/.github/workflows/sync-major-version.yml
index 6f21ee3..a8bc684 100644
--- a/.github/workflows/sync-major-version.yml
+++ b/.github/workflows/sync-major-version.yml
@@ -11,7 +11,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: true # need creds for subsequent git ops
 
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index a6b3e60..bbcbc90 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -24,7 +24,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { persist-credentials: false }
       - run: npm cit
         env:
@@ -37,7 +37,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { fetch-depth: 0, persist-credentials: false }
       - uses: super-linter/super-linter/slim@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
         env:
@@ -61,7 +61,7 @@ jobs:
             api.github.com:443
             api.securityscorecards.dev:443
             github.com:443
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { persist-credentials: false }
       - uses: actions/dependency-review-action@3c4e3dcb1aa7874d2c16be7d79418e9b7efd6261 # v4.8.2
 
@@ -72,7 +72,7 @@ jobs:
     steps:
       - uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
         with: { egress-policy: audit }
-      - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { persist-credentials: false }
       - uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:

From 4cc5a4db1a4290593c095ec8f06c10c5df38b493 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Sun, 18 Jan 2026 15:44:38 -0500
Subject: [PATCH 38/41] RUN_LOCAL is no longer necessary since superlinter 8.4

---
 .github/workflows/.github_test.yml | 8 +++-----
 .github/workflows/test.yml         | 2 +-
 2 files changed, 4 insertions(+), 6 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index f801ab6..a0afdef 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -50,12 +50,10 @@ jobs:
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
-      - uses: super-linter/super-linter/slim@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
+      - uses: super-linter/super-linter/slim@12562e48d7059cf666c43a4ecb0d3b5a2b31bd9e # v8.4.0
         env:
-          ### RUN_LOCAL+USE_FIND_ALGORITHM to workaround superlinter
-          RUN_LOCAL: true
-          USE_FIND_ALGORITHM: true
-          ###
+          USE_FIND_ALGORITHM: true # workaround superlinter
+          ### below here should match our reusable test workflow config
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug #5731
           FILTER_REGEX_EXCLUDE: node_modules
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index bbcbc90..79f7e54 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,7 +39,7 @@ jobs:
         with: { egress-policy: audit }
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { fetch-depth: 0, persist-credentials: false }
-      - uses: super-linter/super-linter/slim@d5b0a2ab116623730dd094f15ddc1b6b25bf7b99 # v8.3.2
+      - uses: super-linter/super-linter/slim@12562e48d7059cf666c43a4ecb0d3b5a2b31bd9e # v8.4.0
         env:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug

From 5f23a4632d9704d60559f9668477ab62b50746a1 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Sun, 1 Feb 2026 15:46:20 -0500
Subject: [PATCH 39/41] Disable codespell for now

---
 .github/workflows/.github_test.yml | 1 +
 .github/workflows/test.yml         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index a0afdef..676abda 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -61,3 +61,4 @@ jobs:
           VALIDATE_BIOME_LINT: false # conflicts with prettier
           VALIDATE_GIT_COMMITLINT: false # commitlint is bad
           VALIDATE_JSCPD: false # too prone to false-positives
+          VALIDATE_SPELL_CODESPELL: false # TODO
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 79f7e54..27d6292 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -48,6 +48,7 @@ jobs:
           VALIDATE_BIOME_LINT: false # conflicts with prettier
           VALIDATE_GIT_COMMITLINT: false # commitlint is bad
           VALIDATE_JSCPD: false # too prone to false-positives
+          VALIDATE_SPELL_CODESPELL: false # TODO
 
   dependency-review:
     if: startsWith('pull_request', github.event_name)

From 07eceea43533450c49520b74890610308902fe15 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Sun, 8 Feb 2026 15:05:44 -0500
Subject: [PATCH 40/41] Can't use zizmor in shared reusible workflow

See https://github.com/zizmorcore/zizmor/issues/1585

Zizmor is currently limited to be unable to tell what is a local action
(local to the same github organization). As such, it cannot treat
reusable workflows as "local", and thus considers non-sha-pinned
workflows as a violation.

And since there isn't any way to override this setting without creating
a zizmor config _in every repo_, we must sadly disable the entire
linter.

It's possible that a future enhancement will allow us to create a single
shared configuration:
https://github.com/orgs/zizmorcore/discussions/1142
But until that time, this linter is not worth the maintenance overhead.
---
 .github/workflows/.github_test.yml | 1 +
 .github/workflows/test.yml         | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 676abda..41be370 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -60,5 +60,6 @@ jobs:
           VALIDATE_BIOME_FORMAT: false # conflicts with prettier
           VALIDATE_BIOME_LINT: false # conflicts with prettier
           VALIDATE_GIT_COMMITLINT: false # commitlint is bad
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_JSCPD: false # too prone to false-positives
           VALIDATE_SPELL_CODESPELL: false # TODO
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 27d6292..3a6c8e3 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -47,6 +47,7 @@ jobs:
           VALIDATE_BIOME_FORMAT: false # conflicts with prettier
           VALIDATE_BIOME_LINT: false # conflicts with prettier
           VALIDATE_GIT_COMMITLINT: false # commitlint is bad
+          VALIDATE_GITHUB_ACTIONS_ZIZMOR: false
           VALIDATE_JSCPD: false # too prone to false-positives
           VALIDATE_SPELL_CODESPELL: false # TODO
 

From 0ea86bfacdd8228731eaded9cb8cfaf37bf04066 Mon Sep 17 00:00:00 2001
From: Jason Karns <jason.karns@gmail.com>
Date: Sun, 8 Feb 2026 15:20:26 -0500
Subject: [PATCH 41/41] Bump superlinter to 8.5.0

---
 .github/workflows/.github_test.yml | 2 +-
 .github/workflows/test.yml         | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/.github_test.yml b/.github/workflows/.github_test.yml
index 41be370..631ad10 100644
--- a/.github/workflows/.github_test.yml
+++ b/.github/workflows/.github_test.yml
@@ -50,7 +50,7 @@ jobs:
         with:
           repository: nodenv/${{ matrix.repo }}
           persist-credentials: false
-      - uses: super-linter/super-linter/slim@12562e48d7059cf666c43a4ecb0d3b5a2b31bd9e # v8.4.0
+      - uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:
           USE_FIND_ALGORITHM: true # workaround superlinter
           ### below here should match our reusable test workflow config
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3a6c8e3..b0ebdc4 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -39,7 +39,7 @@ jobs:
         with: { egress-policy: audit }
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with: { fetch-depth: 0, persist-credentials: false }
-      - uses: super-linter/super-linter/slim@12562e48d7059cf666c43a4ecb0d3b5a2b31bd9e # v8.4.0
+      - uses: super-linter/super-linter/slim@61abc07d755095a68f4987d1c2c3d1d64408f1f9 # v8.5.0
         env:
           GITHUB_TOKEN: ${{ github.token }}
           BASH_EXEC_IGNORE_LIBRARIES: true # superlinter bug