Bump zizmorcore/zizmor from 1.12.1 to 1.14.2

[dependabot]

Bumps zizmorcore/zizmor from 1.12.1 to 1.14.2.

Release notes

Sourced from zizmorcore/zizmor's releases.

v1.14.2

Bug Fixes 🐛🔗

• Fixed a bug where the use-trusted-publishing audit would produce-false positive findings for some run: blocks that implicitly performed trusted publishing (#1191)

v1.14.1

Bug Fixes 🐛🔗

• Fixed a bug where the ref-version-mismatch would incorrectly show the wrong commit SHAs in its findings (#1183)

v1.14.0

New Features 🌈🔗

• New audit: ref-version-mismatch detects mismatches between hash-pinned action references and their version comments (#972)

  Many thanks to @​segiddins for implementing this audit!

Enhancements 🌱🔗

• zizmor no longer uses the "Unknown" severity or confidence levels for any findings. All findings previously categorized at these levels are now given a more meaningful level (#1164)

• The use-trusted-publishing audit now detects various Trusted Publishing patterns for the npm ecosystem (#1161)

  Many thanks to @​KristianGrafana for implementing this improvement!

• The unsound-condition audit now supports auto-fixes for many findings (#1089)

  Many thanks to @​mostafa for implementing this improvement!

• zizmor's error handling has been restructured, improving the quality of error messages and their associated suggestions (#1169)

Bug Fixes 🐛🔗

• Fixed a bug where the cache-poisoning audit would fail to detect some cache usage variants in newer versions of actions/setup-node (#1152)

• Fixed a bug where the obfuscation audit would incorrectly flag some subexpressions as constant-reducible when they were not (#1170)

Deprecations ⚠️🔗

• The unknown values for --min-severity and --min-confidence are now deprecated. These values were already no-ops (and have been since introduction), and will be removed in a future release (#1164)

  Until removal, using these values will emit a warning.

v1.13.0

New Features 🌈🔗

• New audit: undocumented-permissions detects explicit permission grants that lack an explanatory comment (#1131)

  Many thanks to @​johnbillion for proposing and implementing this audit!

... (truncated)

Changelog

Sourced from zizmorcore/zizmor's changelog.

1.14.2

Bug Fixes 🐛

• Fixed a bug where the [use-trusted-publishing] audit would produce-false positive findings for some run: blocks that implicitly performed trusted publishing (#1191)

1.14.1

Bug Fixes 🐛

• Fixed a bug where the [ref-version-mismatch] would incorrectly show the wrong commit SHAs in its findings (#1183)

1.14.0

New Features 🌈

• New audit: [ref-version-mismatch] detects mismatches between hash-pinned action references and their version comments (#972)

  Many thanks to @​segiddins for implementing this audit!

Enhancements 🌱

• zizmor no longer uses the "Unknown" severity or confidence levels for any findings. All findings previously categorized at these levels are now given a more meaningful level (#1164)

• The [use-trusted-publishing] audit now detects various Trusted Publishing patterns for the npm ecosystem (#1161)

  Many thanks to @​KristianGrafana for implementing this improvement!

• The [unsound-condition] audit now supports auto-fixes for many findings (#1089)

  Many thanks to @​mostafa for implementing this improvement!

• zizmor's error handling has been restructured, improving the quality of error messages and their associated suggestions (#1169)

Bug Fixes 🐛

• Fixed a bug where the [cache-poisoning] audit would fail to detect some cache usage variants in newer versions of actions/setup-node (#1152)

• Fixed a bug where the [obfuscation] audit would incorrectly flag

... (truncated)

Commits

• 03af241 prep release 1.14.2 (#1193)
• 0b8b2b0 fix(use-trusted-publishing): eliminate FPs (#1192)
• 6c8b251 prep 1.14.1 (#1185)
• 15784e6 fix(ref-version-mismatch): correct commit SHA in audit message (#1183)
• cc88277 docs: bump trophies (#1182)
• b5334ce prep for 1.14.0 release (#1180)
• 48b8ece docs: document ref-version-mismatch audit (#1179)
• 9ed3607 fix(obfuscation): don't consider fromJSON(...) constant-reducible (#1178)
• ffd91b1 refactor: formalize input collection errors (#1169)
• 896470e docs: bump trophies (#1173)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)