Skip to content

Bump mindsers/changelog-reader-action from 2.2.3 to 2.4.0#636

Merged
fedejaure merged 1 commit into
mainfrom
dependabot/github_actions/main/mindsers/changelog-reader-action-2.4.0
Jun 4, 2026
Merged

Bump mindsers/changelog-reader-action from 2.2.3 to 2.4.0#636
fedejaure merged 1 commit into
mainfrom
dependabot/github_actions/main/mindsers/changelog-reader-action-2.4.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 1, 2026

Copy link
Copy Markdown
Contributor

Bumps mindsers/changelog-reader-action from 2.2.3 to 2.4.0.

Release notes

Sourced from mindsers/changelog-reader-action's releases.

v2.4.0

Added

  • New changes_file output: a path to a temporary file containing the matched entry's text, for tools that consume release notes as a file (goreleaser, gh release create --notes-file, etc.). Resolves #68.
  • New version_scheme input (semver default, or pep440) enabling extraction and validation of Python PEP 440 version identifiers like 0.1.0a1. Resolves #38.

Security

  • Harden the reference-link parsing regex against catastrophic backtracking (CodeQL js/redos). The previous pattern had a . character in two overlapping character classes; a hostile CHANGELOG line could in principle trigger exponential matching time. The fix tightens the label character class without changing the regex's accepted inputs.

v2.3.0

Changed

  • Use Node 24 as the action runtime.
  • Refactor the internal entry, validation, and pipeline modules for type safety and easier maintenance. No change in observable behavior for action consumers.
  • Modernize the bundled runtime dependencies: @actions/core 1.x → 2.x and the YAML parser 1.x → 2.x. The action's input/output contract is unchanged.

Fixed

  • Declare semver as a runtime dependency instead of a dev dependency.
  • Stop dumping the full CHANGELOG content to debug logs when parsing entries and links.
  • Detect the Unreleased heading case-insensitively when picking the most recent released entry.
  • Warn (instead of silently degrading) when validation_level or validation_depth inputs are invalid; fall back to safe defaults.
  • Warn (instead of silently using an empty config) when an explicit config_file does not exist.
  • Validate the shape of YAML/JSON config files; warn on per-field type mismatches and reject non-object roots.
  • Recognize bare ## Unreleased headings in addition to the bracketed ## [Unreleased] form.
Changelog

Sourced from mindsers/changelog-reader-action's changelog.

[2.4.0] - 2026-05-20

Added

  • New changes_file output: a path to a temporary file containing the matched entry's text, for tools that consume release notes as a file (goreleaser, gh release create --notes-file, etc.). Resolves #68.
  • New version_scheme input (semver default, or pep440) enabling extraction and validation of Python PEP 440 version identifiers like 0.1.0a1. Resolves #38.

Security

  • Harden the reference-link parsing regex against catastrophic backtracking (CodeQL js/redos). The previous pattern had a . character in two overlapping character classes; a hostile CHANGELOG line could in principle trigger exponential matching time. The fix tightens the label character class without changing the regex's accepted inputs.

[2.3.0] - 2026-05-19

Changed

  • Use Node 24 as the action runtime.
  • Refactor the internal entry, validation, and pipeline modules for type safety and easier maintenance. No change in observable behavior for action consumers.
  • Modernize the bundled runtime dependencies: @actions/core 1.x → 2.x and the YAML parser 1.x → 2.x. The action's input/output contract is unchanged.

Fixed

  • Declare semver as a runtime dependency instead of a dev dependency.
  • Stop dumping the full CHANGELOG content to debug logs when parsing entries and links.
  • Detect the Unreleased heading case-insensitively when picking the most recent released entry.
  • Warn (instead of silently degrading) when validation_level or validation_depth inputs are invalid; fall back to safe defaults.
  • Warn (instead of silently using an empty config) when an explicit config_file does not exist.
  • Validate the shape of YAML/JSON config files; warn on per-field type mismatches and reject non-object roots.
  • Recognize bare ## Unreleased headings in addition to the bracketed ## [Unreleased] form.
Commits
  • 1faaf50 chore(release): v2.4.0
  • 5f62f39 feat: support PEP 440 versions via a version_scheme input (#123)
  • c8614b9 feat: add changes_file output (#68) (#122)
  • 6a1d138 fix: harden link-parsing regex against catastrophic backtracking (#121)
  • 695e5c9 chore(ci): use the action itself to extract release notes (#120)
  • 4b39e79 chore(release): v2.3.0
  • 5169600 fix: tighten input and config validation for v2.3.0 (#119)
  • a5d2d13 chore(deps): upgrade toolchain to current (Node 24, @​actions/core 2, yaml 2, ...
  • 5358d0b unify link handling, type rule results, extract pure pipeline (#117)
  • 347fff2 Phase 4: SECURITY.md, code of conduct, issue/PR templates, commitlint (#115)
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Dependencies github_actions Github Actions labels Jun 1, 2026
@fedejaure fedejaure enabled auto-merge June 3, 2026 15:30
@fedejaure

Copy link
Copy Markdown
Owner

@dependabot rebase

@dependabot dependabot Bot force-pushed the dependabot/github_actions/main/mindsers/changelog-reader-action-2.4.0 branch from a9078e4 to ab904ca Compare June 3, 2026 15:32
@fedejaure

Copy link
Copy Markdown
Owner

@dependabot rebase

Bumps [mindsers/changelog-reader-action](https://github.com/mindsers/changelog-reader-action) from 2.2.3 to 2.4.0.
- [Release notes](https://github.com/mindsers/changelog-reader-action/releases)
- [Changelog](https://github.com/mindsers/changelog-reader-action/blob/master/CHANGELOG.md)
- [Commits](mindsers/changelog-reader-action@v2.2.3...v2.4.0)

---
updated-dependencies:
- dependency-name: mindsers/changelog-reader-action
  dependency-version: 2.4.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/main/mindsers/changelog-reader-action-2.4.0 branch from ab904ca to b27f80e Compare June 4, 2026 08:51
@fedejaure fedejaure merged commit 263f293 into main Jun 4, 2026
4 checks passed
@fedejaure fedejaure deleted the dependabot/github_actions/main/mindsers/changelog-reader-action-2.4.0 branch June 4, 2026 08:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependencies github_actions Github Actions

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant